CloudSword Ransomware

Posted: January 23, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	43

First Seen:	January 23, 2017
OS(es) Affected:	Windows

The CloudSword Ransomware is a file-encrypting Trojan that locks your files, such as content associated with word processing or gaming. The Trojan makes this attack to force you into paying a ransom fine, but keeping backups can help you recover any damaged content without needing to purchase a decryptor. Malware experts rate this Trojan as being a credible threat to the overall security of your PC and endorse removing the CloudSword Ransomware as soon as possible through standard anti-malware strategies strictly.

A Sword's Swing at Your Files Under False Pretenses

Trojans come in many disguises, and, sometimes, even in self-contradictory ones. Although most file-encrypting threats don't bother to hide their attacks as being anything but threatening, a minority of threats like the CloudSword Ransomware may use social engineering techniques to increase the likelihood of getting paid. This recent Trojan is targeting both English and Chinese speakers with a campaign hiding under the label of a Windows update.

The CloudSword Ransomware uses an AES-based encryption method for enciphering your files and locking them from opening, with no known extension or other filename-based changes. The attack targets video gaming-specific content in addition to more generic data like documents. Secondarily, the Trojan also creates an HTML ransoming message redirecting the victim to a Tor-protected website for paying to recover your files.

Along with hiding its components with fake Windows update titles, the CloudSword Ransomware also uses what previously was a common ruse in ransomware campaigns: claiming that it's locking the victim's PC as a penalty for copyright-infringing activities. Naturally, the Trojan is an illicit software and has no endorsement by any government entity, Chinese or otherwise.

As a final incentive, the CloudSword Ransomware warns that paying is possible for five days but doesn't include a timer to let the victim determine exactly when the opportunity expires. Typically, malware experts recommend keeping backups that nullify any need for decrypting your files through illicit channels like those that the CloudSword Ransomware endorses.

A Trojan's Back-Swing You might not See Coming

Arguably, the CloudSword Ransomware is even more threatening to the state of your PC's overall wellbeing than it is to any files. Its author is including numerous anti-security features in its payload, such as:

The CloudSword Ransomware will disable the Windows System Restore and the Startup Repair features.
The CloudSword Ransomware can suppress system boot-related errors.
The CloudSword Ransomware will try to terminate default firewall applications that could block its network activity.

All of these issues make your PC more vulnerable than normal to attacks by other threats. Accordingly, malware researchers encourage having anti-malware protection deleting the CloudSword Ransomware proactively, when possible, which also prevents it from encrypting any of your files. Note that this threat also makes Registry changes and hand removal is not advisable for PC users without cyber security experience.

The CloudSword Ransomware offers a neat encapsulation of many of the tactics that threat actors use while collecting ransom they don't deserve. In multiple ways, assuming that a file-locking program always is being honest with you is an assumption that can backfire, both for your wallet and your PC.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 557.05 KB (557056 bytes)
MD5: ca4503d5841d0a33120c3a7be65bd815
Detection count: 72
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017