UpdateHost Ransomware
Posted: February 9, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 461 |
| First Seen: | February 9, 2017 |
|---|---|
| Last Seen: | May 3, 2023 |
| OS(es) Affected: | Windows |
The UpdateHost Ransomware is a new version of Hidden Tear, an ex-open-source Trojan that can lock your files through encryption-based ciphers, which con artists exploit for ransoming money from the victims. Because they may or may not give you any decryption assistance, paying any fees they demand is a sub-optimal response that you should eschew in preference for enacting responsible backup strategies. Because of this threat's basis on a set of thoroughly-analyzed code, most anti-malware products can identify and remove the UpdateHost Ransomware on sight.
New Reasons for Tears Coming out of Hiding
Two months into the new year, Hidden Tear already is proving its worth to less talented threat actors by being the foundation for the attack campaigns of threats like the SkyName Ransomware, the MafiaWare Ransomware, the Hidden-Peach Ransomware, and the newest of its relatives, the UpdateHost Ransomware. Based on its file data, the Trojan seems to be distributing itself while disguising as a component of Windows, possibly as an update or patch. Information about its intended targets is limited, although malware experts find that the UpdateHost Ransomware doesn't conform to the standards of file-encrypting Trojans meant for sabotaging commercial or industrial targets.
The UpdateHost Ransomware modifies some essential Windows files, including the Kernel Security Driver, to assist its installation and long-term persistence on the PC. When done, it scans your drives for files fitting the list of formats its threat actors consider worth encrypting (and, consequently, locking out of opening): compressed archives, pictures, documents, and a handful of other, equally common data types. Each locked file is identifiable from the '.locked' extension that the UpdateHost Ransomware places at the end of their names.
One of the UpdateHost Ransomware's last actions creates a Notepad message for the victim to read, containing an English text that malware experts have yet to link to other Trojan campaigns. The instructions ask for the Bitcoin currency to restore your files, but leave the exact amount of the ransom undetermined, possibly to let the threat actor negotiate an optimal price. The additional presence of some Cyrillic characters also may be the evidence of a link between this Trojan or its author to Russia or nearby nations.
Making Sure a Trojan's Update is an Outdated Problem
Decryption solutions for Hidden Tear-based threats do exist without requiring transferring money to con artists, which is, inherently, a high-risk solution. However, the UpdateHost Ransomware's threat actors may make changes to the encryption method that hinders any data recovery efforts. Anyone needing to keep their files safe should be sure to back them up to a low-risk location, such as a detached device or a protected Web server.
Prior attacks by Trojans using fake Windows updates to hide their installations may correlate with exposure to threatening websites and drive-by-download kits, which malware experts recommend curtailing via the appropriate browser settings. Many anti-malware utilities also have good rates for identifying Hidden Tear-based threats, and keeping them active can allow you to remove the UpdateHost Ransomware without its file-enciphering attack ever occurring.
While the UpdateHost Ransomware is a small executable file with a limited payload, its authors select encryption targets that are most likely to be in wide use carefully. A Trojan's humble origins and payload may not correspond to minimal damages, either to your saved data or your finances.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.