Bubble Ransomware
Posted: June 29, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 39 |
| First Seen: | June 29, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Bubble Ransomware is a Trojan that encrypts your files to force you into paying a ransom for unlocking them. Various forms of backups are the simplest way of keeping your data safe or recovering it afterward, and paying the threat actor's fee should be avoided if at all possible. Because this Trojan uses exploits to launch itself and conducts attacks without any initial symptoms, you should use anti-malware programs for blocking it or removing the Bubble Ransomware after an infection.
Blowing Bubbles Full of Poison into Your Folders
A Trojan disguising itself as a PDF document is starting to lock random victims' files for undisclosed amounts of money, further showing that going by the name of a file is a quick way to open something unsafe. Malware experts have yet to place the Bubble Ransomware in a broader Trojan family, and it shows some symptoms that are semi-unique, both in how it encodes the user's content and how it asks for payment. Although its distribution exploits are awaiting a full analysis, threats using fake extensions are commonplace in e-mail spamming campaigns.
The Bubble Ransomware places an additional line in the Registry to let itself launch whenever Windows starts up. Its encryption attack, which uses a random, eight-character code, covers multiple, default Windows file locations, such as the MyMusic and MyPictures folders, in addition to the desktop. The detail-oriented threat actors also configured this feature to lock different formats, depending on the folder (for example, encrypting MPGs in MyMovies, and JPGs in MyPictures). The Bubble Ransomware adds '.bubble' extensions to everything that it locks.
The Bubble Ransomware also tries to upload the decryption key and system information to a C&C server, although it will store the former inside the Registry if it can't connect. After everything else, the Bubble Ransomware generates a Windows message box to show its ransoming demands, providing no meaningful information other than telling the victim to contact an e-mail address.
Popping a Dream Bubble of Unearned Fortunes
Threats with inaccurate extensions, icons, or filenames are typical to Trojans like the Bubble Ransomware, which don't self-propagate but can use exploit kits, e-mail attachments, or brute-force attacks for gaining system access. All of the Bubble Ransomware's visible symptoms limit themselves to launching after it locks your data with its cipher. However, the Trojan is decryptable, and malware experts recommend using free decryption programs on copies of your locked media if backups are unavailable. The Trojan also doesn't delete the Shadow Copies, which gives Windows users yet another method of restoring their content.
Roughly one out of four major brands of AV products are identifying the Bubble Ransomware as a threat to the computer. Updating threat databases can improve detection rates for new samples. Because of how its network access or the lack of it impacts its behavior, malware analysts also recommend disabling an infected PC's Internet connection ASAP, which could give you easy access to the decryption key. This Trojan has limited protection from being uninstalled by most anti-malware products, although deleting the Bubble Ransomware and restoring your locked media are two, separate processes requiring different software.
Even as old Trojan families like Hidden Tear expand their members, new, independent threats also are being caught, as a matter of course. With new Trojans like the Bubble Ransomware comes new infection methods, tactics, and extortion details, making it all the more useful that you protect your files with reasonable procedures like backing them up elsewhere.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.