BlackPink Ransomware
The BlackPink Ransomware is a Korean file-locking Trojan that can encrypt digital media so that it can't open until the user runs the files through a compatible decryption service. Its threat actor is selling that service for an unknown ransom through an associated website. The users can protect their work with backups and have anti-malware tools for uninstalling the BlackPink Ransomware or stopping the installation from happening at all.
A Trojan Siren that's Singing Your Files to Sleep
The nation of South Korea is getting a regionally-appropriate follow-up to the campaigns of file-locking Trojans like the Hidden Tear-based PTP Ransomware and the self-explanatory KoreanLocker Ransomware. Unlike them, the BlackPink Ransomware is sufficiently new that its campaign may not be active, yet, and all of the samples that malware experts are examining include 'placeholder' links. Unfortunately, that doesn't mean that its file-locking feature isn't working.
The BlackPink Ransomware claims that it uses the AES and RSA encryptions in its ransoming message, although malware researchers have yet to confirm it – and many threats of this type will make false assertions that exaggerate their security. After locking files, such as PDFs, DOCs, or JPGs, the BlackPink Ransomware adds a 'BlackPink' extensions to them, which references a prominent Korean pop (or K-pop) band. The ransom note's text is Korea-specific similarly and offers Korean language directions on paying for the decryptor with the Tor browser, under a ninety-six-hour deadline.
Not all of the BlackPink Ransomware's symptoms fall in line with those of file-locker Trojan families like Hidden Tear or the Globe Ransomware. The BlackPink Ransomware is the first of its kind that malware researchers are identifying as trafficking in a one-word-based ID system for its 'customer' tracking purposes. This word is the only significant English content in the note and helps differentiate the BlackPink Ransomware from competing Trojans that use a traditional, numeral system.
Changing the Station from Trojan Attacks
While the BlackPink Ransomware is a Korea-specific threat concerning its communication preferences, its payload is proving itself in Linux environments elsewhere, such as in the Czech Republic. However, since its ransom message provides a link to Google's search engine, instead of the payment website, even victims who would consider paying for their files can't do so. Backing up work to another device is a default recommendation for saving any media of financial or personal value from encryption that could be irreversible.
How the BlackPink Ransomware installations are compromising any given target is a data point for further exploration, but file-locking Trojans tend to abuse brute-force attacks for server logins, spam e-mails, or file-sharing networks, such as torrents. Most anti-malware services can detect threats of this category during file scans and should circumvent any risks of non-consensual encryption. Infected PCs should receive full scans by those same products for removing the BlackPink Ransomware as safely as possible before recovering any sabotaged media from a backup.
The BlackPink Ransomware offers a musically-themed campaign that has yet to strike riches with its first chords. K-pop fans should be careful about selecting their song download sources, which could come with more than just MP3s.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.