Better_Call_Saul Ransomware

Posted: March 17, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	290

First Seen:	March 17, 2016
Last Seen:	June 9, 2023
OS(es) Affected:	Windows

The 'Better_Call_Saul' Ransomware is a file encryptor based on CryptoLocker, most recently made infamous for its attacks targeting entities in Australia. During its attacks, the 'Better_Call_Saul' Ransomware encrypts the infected PC's non-essential data before dropping various media files communicating an intent to ransom a decryption key to its victims. Besides using your anti-malware software to block or delete the 'Better_Call_Saul' Ransomware, you also can use any of a variety of backup data preservation techniques that provide appropriate security against file-encrypting Trojans.

The 'Better_Call_Saul' Ransomware: A Bad Chicken Surprise in Your Archive

The relatively easy accessibility (at the cost of 100 USD) of the CryptoLocker's development kit has caused a variety of new versions of this file encryptor to spring up between 2015 and 2016. Of these new Trojans, the 'Better_Call_Saul' Ransomware can be thought of as the most dramatically media-centric, although its practical objectives still are to encrypt and then ransom your files. Like most file encryptors, the 'Better_Call_Saul' Ransomware uses an AES-based formula that randomizes with each infection, making it difficult to break the encryption and restore your data without paying the con artists.

Of the 'Better_Call_Saul' Ransomware's distribution and installation preferences, the most easily confirmed is its use of Visual Basic-based Trojan downloaders, hidden in archive attachments. The naming schemes for these attachments suggest that the con artists use targeted e-mail attacks, with the Trojan downloader disguising itself as minutia concerning a package or message delivery. Opening the archive, in addition to launching the Trojan that installs the 'Better_Call_Saul' Ransomware, it also loads a PDF file that distracts you from the threat's activities.

The 'Better_Call_Saul' Ransomware then scans your PC, focusing on data of specific formats, and ignoring the essential components of your OS. Examples of files attacked by the 'Better_Call_Saul' Ransomware include GIF or JPG images, ZIP archives, MP3 sounds, XLS spreadsheets and PowerPoint presentations. The attack encrypts them with an individualized key, preventing any programs from reading them. The 'Better_Call_Saul' Ransomware's con artists sell a decryption key to their Australian victims for 450 AUD (approximately 343 USD value).

All of the above is mostly traditional for CryptoLocker variants. However, the 'Better_Call_Saul' Ransomware sets itself apart from similar re-releases of the Trojan by including a BitCoin tutorial video, multiple references to the 'Breaking Bad' television show (including a 'Los Pollos Hermanos' image and a themed e-mail address), and even an automatically-playing YouTube music video.

Who to Call When Your Files Get Encrypted

The 'Better_Call_Saul' Ransomware and other file encryptors may just as easily target and delete local backup data as they may encrypt your original copies. However, paying con artists to provide a decryptor for the 'Better_Call_Saul' Ransomware is a solution with other risks, in addition to the obvious moral hazard. Whenever possible, malware experts recommend preventing threat attacks by scanning your file attachments (which would detect a 'Better_Call_Saul' Ransomware installer), or keeping live anti-malware support that can identify and block the 'Better_Call_Saul' Ransomware before its encryption payload's completion.

Alternately, you can remove the 'Better_Call_Saul' Ransomware after its attack with your anti-malware tools, and undergo the steps needed to restore any encrypted information. In most cases, backups based on cloud storage servers, USB devices, or similarly remote sources are safe from file encryptors. The increasing use of instructional media and theming may indicate that at least some threat authors are interested in making their attacks into highly referential multimedia experiences, but these television-referencing aesthetics don't change any of the essentials that are relevant to thwarting the 'Better_Call_Saul' Ransomware.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%USERPROFILE%\Desktop\d460e5870a252c2827b88fdfc651a033a5d5875770f21a23b476a36e56ad5a8e.exe

File name: d460e5870a252c2827b88fdfc651a033a5d5875770f21a23b476a36e56ad5a8e.exe
Size: 913.4 KB (913408 bytes)
MD5: d1217c81cca33f5fcc4bed6cd948a36b
Detection count: 30
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: March 17, 2016

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.better_call_saul