CommandLine Ransomware
Posted: October 27, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 53 |
First Seen: | October 27, 2016 |
---|---|
OS(es) Affected: | Windows |
The CommandLine Ransomware is a Trojan that may encrypt, delete or overwrite files matching its targeted formats, as well as cause other forms of damage to your hard drive. While malware researchers have yet to see the CommandLine Ransomware in deployment against live targets, it includes the essential functions necessary to block data and hold it for ransom, like similar threats. They recommend protecting your data with backups and using anti-malware tools for removing the CommandLine Ransomware before its encryption scan completes itself.
Trojans Hearkening Back to Operating Systems of Yore
Once an essential part of any PC owner's toolkit, familiarity with the Windows command prompt, cmd.exe, has languished as a Windows's visual UI evolved. However, the command line remains a potentially powerful and flexible tool, and even threat authors remember this fact, as evidenced with the latest samples of the CommandLine Ransomware. This threat, first spotted by a member of the GData's malware analysis team, delivers most of the features of file encrypting Trojans, all through command line arguments.
The CommandLine Ransomware, like other CMD-based utilities, uses a text interface, allowing a remote attacker to type commands that the CommandLine Ransomware then uses for determining how it attacks the infected PC's file system. Besides encrypting data, the CommandLine Ransomware also may delete it, overwrite it with an encrypted equivalent or rename it (either before or after the encoding takes place). Like most threats of its kind, the CommandLine Ransomware also can delete local backups kept by Windows and stop a victim from restoring the content without decrypting it. Effectively, the Trojan barricades the encoded data until the remote attacker sends a decryption argument.
Perhaps due to its unusual interface choice, malware analysts only can confirm the CommandLine Ransomware targeting three data types: Word documents, JPG images and Hanword documents. The latter, as a format associated with the Korean character set, offers potential insight into the origins of the CommandLine Ransomware's developer or the intended geographical scope of its campaign. The Trojan also may force system crashes or damage the Master Boot Record, which can stop Windows from restarting potentially.
Taking Command of Your PC Before a Korean Trojan does It for You
In comparison to other file encryptor Trojans of the year, the CommandLine Ransomware is something of an oddity. Its command-line interface, while still potent, makes it less attractive for rental to third party threat actors. While it may only be a proof of concept program, its features do include threatening functions that could cause permanent damage to the hard drive or operating system. However, current versions of the CommandLine Ransomware lack any built-in means of delivering extortion messages or ransom notes, such as hijacking the desktop's background image.
Until malware researchers excavate more evidence about the CommandLine Ransomware and any potential attack campaigns deploying it, PC owners can continue to keep their saved information protected via the usual methods. Use backups not stored on the local hard drive where the CommandLine Ransomware or similar Trojans could delete them. Avoid known infection vectors, such as e-mail attachments disguising themselves as financial documents. Maintain active anti-malware solutions that can detect or remove the CommandLine Ransomware before its threat actor can issue any encryption commands.
As far as innovation in threats is concerned, even going backward, sometimes, is going forwards. If nothing else, it provides new Trojans like the CommandLine Ransomware with a degree of unpredictability.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 220.16 KB (220160 bytes)
MD5: 54bed8d032d30df7a066dcb5970f8dfa
Detection count: 8
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 27, 2016
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.