Threat Database Ransomware Ransomware Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 7,570
Threat Level: 80 % (High)
Infected Computers: 8,639
First Seen: October 27, 2017
Last Seen: July 25, 2023
OS(es) Affected: Windows

The Ransomware is an encryption ransomware Trojan that is used to take the victims' files hostage. Most encryption ransomware Trojans work by encrypting the victim's files by using a powerful encryption algorithm and then asking for the payment of a ransom in exchange for the decryption key. The Ransomware works differently. While the basic premise of the Ransomware is the same, taking the victim's files hostage, instead of encrypting them, the Ransomware will package the victim's files into a password protected archive file. This is not a new attack method and has been observed previously in other ransomware Trojans. However, this method is far less common than the use of the AES encryption, or other advanced encryption algorithm.

Detailing the Way the Ransomware Compromises Your Files

The Ransomware does not support encryption on its own and instead uses 7Zip, an open source program that is used to create and read archive files, to pack the victim's files into an archive file that is protected by a password. PC security researchers have noticed this attack before in ransomware like the RarVault, which packs the victim's files into a RAR file that is password protected. The Ransomware is typically delivered to victims through the use of corrupted spam email attachments. The Ransomware will be downloaded and installed on the victim's computer by these corrupted files, which will include macro scripts. Victims that ignore the User Account Control notification of what these macro scripts cause may end up installing the Ransomware or other threats on their computers.

How the Ransomware Carries Out Its Attack

Once the Ransomware is installed on the victim's computer, it scans the victim's drives and creates a list of files to target, typically looking for the user-generated files such as images, databases, texts, audio and many others. Some of the file types that are typically targeted in encryption ransomware attacks include:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

The Ransomware will pack the targeted files into an archive file that is protected with a password after creating this list. Malware researchers have not determined any details about the Ransomware password, but it is likely that there is a single master password for all instances of the Ransomware. The Ransomware delivers a ransom note in a single text file named 'Unzip your ZIP files.txt,' which is delivered to the victim by placing copies of this files in all folders where the victim's data was compromised. This text file contains the following message:

'Your files have been compressed!
To recover them, you need a security key.
If you're really interested in their recovery, please submit your code for reference: [redacted 64 hex] zip
For the email:
Your contact will be responded to as soon as possible, and if necessary offered a recovery guarantee.'

Dealing with the Ransomware

Unfortunately, the Ransomware deletes the Shadow Volume copies and other data that could be used to recover the affected files. Because of this, the best defense you have against the Ransomware is to use file backups from the cloud or an external device. As more attacks with the Ransomware are carried out, it is possible that a password to help computer users recover from the Ransomware attack may be released, but for now, the victims of the Ransomware attack will not be able to access the archive and are advised to restore their files from a backup copy.


Most Viewed