Your browser is obsolete!

The page may not load correctly.

Encrypt everything

Закодировать всё

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

Criminal “concern” for victims

Read: 30279 Comments: 2 Rating: 9

Friday, November 3, 2017

Criminals who distribute encryption ransomware are cynical enough to profit from other people's misfortune. Nothing personal, just business. Some of them even set up their own victim-care services and lower the ransom amount, ostensibly out of compassion.

Spora ransomware’s authors really care about Spora’s reputation, and a special team is apparently working hard to maintain it. In fact, it is safe to say, that the encryption ransomware is supported by its own PR team. On the malware's site, visitors are invited to communicate with support engineers in real time.

Dozens of encryption ransomware programs appear on a daily basis. What's the likelihood of encountering "gentle" extortionists?

According to IBM 70% of companies pay the ransom to regain access to their data.

And only 30% of them actually receive a decryption code.


Cybercriminals launched a new spam campaign to simultaneously spread two ransomware programs—Locky (Trojan.Encoder.3976) and FakeGlobe (Trojan.Encoder.13992). Their emails contained a link and a malicious attachment in the guise of an invoice or a receipt. The attached script is similar to the archived code that is downloaded using the link. However, the scripts use different URLs to download the ransomware. One of them downloads Trojan.Encoder.3976, while the other acquires Trojan.Encoder.13992.

Should users open the malicious link in the email, their systems may first get infected with Trojan.Encoder.3976, and then an hour later Trojan.Encoder.13992 will compromise their machines too.

Because of the alternating infections with Trojan.Encoder.3976 and Trojan.Encoder.13992, victims' files are encrypted several times so they have to pay twice or lose their data.

Doctor Web security researchers have already witnessed incidents of an encryption ransomware program detecting files that had already been encrypted by its predecessor and encrypting them again. Some ransomware programs decrypt files according to their extensions; others compromise data by folder, but the extensions that are appended to filenames by other ransomware programs never appear on white- or blacklists. The results of someone else's “work” is disregarded. There is no division of labour or mutual help—it’s purely business. In this case, the attackers' greed reached a new level.

Now let's get back to the "technical support" being provided by the extortionists. Don't forget that any communications with victims give law enforcement agencies a chance to track down the criminals. That's why any interaction is risky for criminals.

After manipulating the IDs given out by Spora’s owners to victims, researchers were able to get onto their site and learn how victims converse with the site’s operators.

#encryption_ransomware #Trojan #Trojan.Encoder

The Anti-virus Times recommends

A computer can be protected from encryption ransomware, but only if all the necessary security measures are implemented. Those include installing security updates and using an anti-virus.

Machines that have Dr.Web installed and running on them are protected from the ransomware species we mentioned in this issue.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.