Home Malware Programs Ransomware BlackHat Ransomware

BlackHat Ransomware

Posted: September 18, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 12
First Seen: September 18, 2017
OS(es) Affected: Windows

The BlackHat Ransomware is a variant of Hidden Tear, an open-source Trojan that locks the user's media by encoding it with a cipher. At this time, the BlackHat Ransomware is bugged and may not finish its attacks, although minor updates could give it full functionality and prevent users from opening files such as pictures or text documents. Let your anti-malware programs remove the BlackHat Ransomware after disabling any network connections this threat could use to communicate with external servers and recover any files from backups.

Well-Aged Trojans Putting on Fresh Hats

Hidden Tear is undergoing various permutations of upgrades and downgrades at the hands of different teams of developers, not all of whom are skilled at programming equally. In the most ideal of cases, these third-party edits result in a less than functional output, like the samples of the MoWare H.F.D Ransomware that malware experts held for analysis previously. However, work on this HT variant has yet to halt, and the Trojan is now detectable under new names: Blackbat or the BlackHat Ransomware.

The BlackHat Ransomware retains most of MoWare H.F.D Ransomware's bugs, including runtime errors that could prevent its payload from operating as its threat actors intend. For samples with all glitches corrected, the BlackHat Ransomware could encrypt files such as movies, documents, spreadsheets and other media by using a XOR-based algorithm to convert them to unreadable formats. Meanwhile, the Trojan launches the same ransoming pop-up the MoWare H.F.D Ransomware uses: an interactive Web page that includes a live timer and details about transferring Bitcoins to a wallet to 'buy' the decryptor.

The BlackHat Ransomware also still seems to use the old '.H_F_D_locked' extension for identifying such files to the user. While malware experts are noting theoretical ransoming fees for the BlackHat Ransomware's decryptor at 200 USD in Bitcoins, any victims should continue using free methods for recovering their data, if at all possible. As a bugged version of Hidden Tear, the BlackHat Ransomware may not delete local backups, but non-local ones always are more reliable solutions for protecting your data from hostile encryption.

Depriving Trojans of Their Hat Tricks

Although the BlackHat Ransomware remains as buggy as its recent ancestor approximately, using a widely-applicable foundation of code, like Hidden Tear, can help make this threat into a danger to any PC user's files without much additional work. Minor updates could patch this Trojan into a state that's capable of blocking your local content indefinitely while it demands ransoms that may not pay off for anyone who surrenders to them. Contacting experienced security researchers for help could produce additional, free solutions for victims who need a decryption program.

Malware researchers determined that the BlackHat Ransomware doesn't use an embedded key for encoding content previously; instead, it downloads an appropriate code from a remote server. Users who disable their Internet connections as soon as possible after compromising their PCs may be able to halt the encryption process, even though this attack shows no overt symptoms. Most anti-malware products are identifying and removing the BlackHat Ransomware at satisfactory rates and should detect this threat before its attacks can occur.

Crippled Trojans do retain some degree of potential for harassing and harming the PCs that they infect. For Trojans like the BlackHat Ransomware, these bugs even can interfere with the encryption routine and, as an immediate consequence, make decryption into a pipe dream. Its payload, even buggy, underlines the fact that any file worth paying for also is worth backing up to someplace secure.

Related Posts