Home Malware Programs Ransomware AIR Ransomware

AIR Ransomware

Posted: November 8, 2019

The AIR Ransomware is a file-locking Trojan from the minor Trojan family of the Major Ransomware. The AIR Ransomware uses encryption for blocking files, delivers ransoming messages, and changes your desktop's wallpaper to a warning message. You can keep backups for preserving data from such an attack, and well-maintained anti-malware programs should delete the AIR Ransomware as soon as they detect it.

Breathing in Some Bad AIR

In-between the campaigns of well-known legends of Trojan artistry like the Scarab Ransomware and the Jigsaw Ransomware, smaller players also make very similar attacks for the usual means of turning a questionable profit. The Major Ransomware family, expressed through members like the Orion Ransomware and the older Mars Ransomware, is one such entity. Its latest version, the AIR Ransomware, also includes some new changes to how it's asking for ransoms and still damages files in the process.

The AIR Ransomware consists of many of the pillars of file-locking Trojans, particularly, the Major Ransomware variations. It uses the AES and RSA encryptions for blocking documents, images and other media content. Secondly, the program appends extensions onto their names and inserts, not just the 'AIR' tag, but also an ID for the victim and an e-mail for the negotiations. It also creates a ransom message, although malware researchers see a change from the old Notepad format to HTML. The Trojan also hijacks the wallpaper and exchanges it for another set of ransom instructions.

Another fact of its payload is recently-verifiable with the AIR Ransomware: the visible display of a running program window while it's locking data. This symptom could give a fast-thinking victim a chance for terminating the AIR Ransomware or shutting down the computer before it finishes the encryption routine, which is, as usual, over quickly. Threat actors are more likely to run the AIR Ransomware after gaining remote administrative access to the computer, such as by way of an internet-open RDP feature.

Exhaling the AIR Ransomware Before It Kills Your Media

The AIR Ransomware's attacks are a little more visible than some of those by other file-locker Trojans, but its encryption, ultimately, remains secure. Users can't depend on independent and free solutions for unlocking their files, and the AIR Ransomware includes the usual precaution of wiping out the Windows Shadow Volume Copies and, therefore, the Restore Points. Hence, having a backup on some other device is the best way of keeping one's files safe.

The AIR Ransomware is using randomized characters for its file name and shows no signs of how it might propagate. In keeping with its symptoms, however, malware experts warn primarily against network and server vulnerabilities, such as open ports, outdated software, and unsafe interactions with e-mail attachments. Outdated software platforms also are at risk from serving as weak points for a remote attacker.

Most anti-malware services will flag file-locking Trojans as threatening on sight and are preferable for uninstalling the AIR Ransomware or similar threats whenever possible. Readers also should note that this family is Windows-specific.

Far from a breath of fresh air, the AIR Ransomware is a stagnant pocket of software poison that's exuding out into the world anew. When the antidote to such an expensive problem is so universal, it's inviting exploitation to not partake in the occasional backup.

Related Posts

Loading...