BlueCheeser Ransomware

The BlueCheeser Ransomware is a file-locker Trojan that can stop media such as documents or images from opening by encrypting the file's internal data. Windows users can best defend their work by creating backups on devices that the Trojan doesn't have access to for deleting. Most anti-malware services also should offer preemptive protection by removing the BlueCheeser Ransomware as they identify it.

The Cheesy Taste of Nonfunctional Files

Ransomware-as-a-Service businesses like the Globe Imposter Ransomware, and free coding resources like EDA2 and Hidden Tear, make up the majority of file-locking Trojans' bodies. In the minority, one may look at black hat software like the BlueCheeser Ransomware: a Trojan that announces its attacks while performing them, but, otherwise, is just as threatening as more widely-known threats. Users could be grateful that current versions aren't hiding their identity, although that fact might be due to the program being in the middle of its development.

The BlueCheeser Ransomware is a Windows program with copyright information dating to 2018, but samples of the Trojan only are appearing as of January of 2020. The Trojan operates on the same, extortion-based assumptions as similar campaigns for file-locking Trojans. Significant infection symptoms include:

• The locking media files with an AES-based encryption routine.
• The presence of Notepad ransom messages (with non-working Bitcoin wallet links, as of the latest samples).
• The insertion of possibly Norse-inspired 'himr' extensions into filenames.
• A command-line pop-up displaying encryption progress for the victim's files.

The last symptom out of this handful is of particular significance. In past campaigns with file-locker Trojans, malware researchers encounter them in programs that the attacker installs and runs manually predominantly. This feature sets the BlueCheeser Ransomware apart from similar threats, which might depend on a victim's opening the file by mistake (such as in an e-mail attachment).

The Futility of Paying for Bad Cheese

Some portions of the BlueCheeser Ransomware's payload are suggestive of an experimental or in-progress status for the Trojan. Most obviously, the paying mechanism doesn't provide an appropriate Bitcoin wallet account, nor does it offer a method of contacting the threat actor and entering into negotiations. Such an oversight means that any payments are in vain entirely and will not bring victims any closer to recovering or unlocking their documents or other media.

Windows users always should have additional backups saved to locations that aren't available to individual threatening programs like the BlueCheeser Ransomware, Hidden Tear, or the Dharma Ransomware's family. In light of its current configuration, malware analysts also recommend being prompt about patch maintenance for security reasons and avoiding passwords that a remote attacker could brute-force their way into compromising. These simple precautions will protect most server setups from attacks by Black Hat software, while minimal web-browsing precautions compensate for other vulnerabilities.

Few Trojans of this kind will invest much effort into evading conventional threat-detecting metrics. Like its competition, this threat is thwartable by users keeping anti-malware products for removing the BlueCheeser Ransomware infections as they happen or blocking the installation executable.

Since there isn't a free decryption service for the BlueCheeser Ransomware, users' best bet is either preventing infections before they start or backing up dutifully. Like a cheese gone bad, automatic encryption has a lingering aroma – but unlike a food product, it can cost anyone their life's work in data.