SANTA_CRYPT Ransomware
The SANTA_CRYPT Ransomware is a file-locking Trojan that blocks media on Windows systems by encrypting it. Users should recover from any backups, if available, although free decryption solutions also may be possible. Dedicated security and anti-malware products also should stop most infection attempts and remove the SANTA_CRYPT Ransomware from already-compromised PCs.
Santa Comes Collecting Instead of Giving
With so many Ransomware-as-a-Services and other Trojan families thriving, users might forget that anyone can program a file-locker Trojan without necessarily needing help from outside. What possibly is a Russian threat actor is distributing just such a Trojan, without paying the usual fees towards a RaaS or borrowing obvious code from sources like EDA2 or Hidden Tear. The SANTA_CRYPT Ransomware's campaign is just starting, with targets unknown.
Samples available to malware researchers suggest that the SANTA_CRYPT Ransomware is using fake 'TMP' or 'temporary file' extensions for partially hiding itself during the installation. The Windows Trojan proceeds with an AES (one of the most popular encryption) data-locking routine that targets formats like Word DOCs and other media. Like many Trojans of its kind, it adds an extension, unique to its campaign, onto their names, which visually marks each file for the victim's benefit.
The SANTA_CRYPT Ransomware also creates a text message with phrasing that's not part of previous, known Trojans' campaigns. Although it demands a ransom for unlocking the user's files, it doesn't give details, such as a price and merely provides an e-mail address. The use of a Russian domain for the current e-mail (possibly, a placeholder) is highly implicative of the threat actor's nationality, but not necessarily a limiter on its victims' demographics.
Sending Evil Santas Back Up the Chimney
The SANTA_CRYPT Ransomware operates on the same procedures and assumptions as most of the file-locking Trojans whose code it eschews, such as the ubiquitous Hidden Tear. Users can effectively protect any files from data encryption by placing backups in secure locations and updating them regularly. Malware experts also note the unusual absence of the Shadow Volume Copy or the Restore Point deletion. This resource might be available in the SANTA_CRYPT Ransomware infections for those users who lack alternatives.
Because encryption routines from Trojans like the SANTA_CRYPT Ransomware tend towards being irreversible, users should strive to avoid infections. Windows users can protect their networks and servers by using strong passwords that prevent brute-force attacks from hijacking their accounts. The SANTA_CRYPT Ransomware's campaign also may target home users by circulating as torrents, such as game cracks or popular movies. E-mail-based phishing lures also are a possibility, more typically, for enterprise-grade entities or government offices.
Credible brands of anti-malware products are detecting these new samples of the SANTA_CRYPT Ransomware and classifying them as generic Trojans, in most instances. Users with such protection can prevent attacks or remove the SANTA_CRYPT Ransomware after one, in a worst-case scenario easily.
Besides favoring Windows users, there's no telling where the SANTA_CRYPT Ransomware will go from the start of its campaign. As an independent Trojan, it's not beholden to the mores of the threat landscape, and could wind up on the drive of any user – hopefully, one with a backup already prepared.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.