Colecyrus@mail.com Ransomware

Posted: October 26, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	32

First Seen:	October 26, 2017
OS(es) Affected:	Windows

The Colecyrus@mail.com Ransomware is a Trojan that locks your PC's media so that it can demand payments for restoring them with a custom decryption solution. Although having backups gives victims safe ways of recovering with minimal issues, users without that option may request help from experienced cyber security researchers on freeware decryption possibilities. Most brands of anti-malware programs include protection from threats of this type and may uninstall the Colecyrus@mail.com Ransomware to stop any further data loss.

Trojans Saying 'Boo!' to Your Files

Threat actors don't need many excuses to use seasonal themes for their craftsmanship, which can provide additional touches to help differentiate their Trojans from the competition or even manipulate the victims' psychologically. The Colecyrus@mail.com Ransomware is a subtle variant of the usual, Halloween-based format, but, unlike the partially-made, the Trick-Or-Treat Ransomware, has a working payload that damages the user's files. Since the Colecyrus@mail.com Ransomware doesn't appear to be using traditional, AES-based enciphering features, whether or not the locked data is recoverable is uncertain.

While malware experts have yet to verify live attacks deploying the Colecyrus@mail.com Ransomware, the Trojan's payload shows no signs of being incomplete and can both take media hostage and deliver ransom-based messages to profit from doing so. The defining features of this Trojan include:

The Colecyrus@mail.com Ransomware scans for and locks various formats of media on infected PCs using an enciphering method still in investigation. XOR and TEA are the two encoding algorithms malware experts are estimating as being most likely abused to lock files and keep them from opening.
The Colecyrus@mail.com Ransomware also creates a custom ID string corresponding to each infection or 'customer,' as it references in its ransom note (see below).
The Colecyrus@mail.com Ransomware adds both a '.b007' extension and an e-mail address to the ends of the names of all content that it blocks. Together with the ID, the address gives victims the necessary information for paying a ransom.
The Colecyrus@mail.com Ransomware's authors are using text messages that the Trojan may place on the desktop for delivering their ransom-paying demands, after which they may or may not opt to unlock your files. The Trojan doesn't provide details on how much it costs to purchase the decryptor within its three-day time restriction but does offer a 'free sample' to prove that the threat actors can decode your media.

Solving the Mystery of an October File-Locker's Attacks

Although its text messages resemble those of other Trojan campaigns strongly, particularly those of the Globe Ransomware, the Colecyrus@mail.com Ransomware may not be a clone of past threats and uses an unusual data-locking function that's likely of requiring a custom decryptor. Since decoding such enciphering attacks is often impractical, malware analysts suggest that all users save their media to backups for expedient restoration. PC security experts with experience analyzing file-locking Trojans also may provide further insight into decryption possibilities after acquiring samples of the Colecyrus@mail.com Ransomware.

Victims should assume that the Colecyrus@mail.com Ransomware will circulate through methods that disguise its intentions, such as spam e-mails pretending to be delivery notices, fake downloads for triple-A games, or drive-by-download scripts on corrupted websites. Anti-malware products can provide security against all of these infection methods and block the Colecyrus@mail.com Ransomware immediately. Since the Trojan's file-scanning feature may show no symptoms while occurring, users shouldn't depend on visual detection of this threat.

Trojans don't need 'military-grade,' secure encryption standards like AES-ECB and RSA to cause sufficient damage to insecure PCs. For the average victim, even the most basic attacks, like those embedded in the Colecyrus@mail.com Ransomware's payloads, are more than adequate hazards.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 395.77 KB (395776 bytes)
MD5: 95f769fb6170382e07ebd2ff21c17c6c
Detection count: 38
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 29, 2017