Home Malware Programs Ransomware CURATOR Ransomware

CURATOR Ransomware

Posted: October 13, 2020

The CURATOR Ransomware is a file-locking Trojan of an unknown family. The CURATOR Ransomware blocks the user's files in multiple locations to ransom the unlocking service. Users with surviving backups can recover while ignoring the ransom note, although dedicated anti-malware tools are preferable for uninstalling the CURATOR Ransomware, in either case.

Data Curation with Deadly Intentions

A file-locking Trojan dropping notes reminiscent of older campaigns proves, once more, that it's never a safe time to take one's server and home PC backups for granted. While most file-locking Trojans of 2020 owe their brief lives to a Ransomware-as-a-Service family such as the STOP Ransomware et al., malware experts see no connections between the CURATOR Ransomware and these groups. The Trojan could be wholly-independent or a variant of another programmer's resources, such as Hidden Tear.

The CURATOR Ransomware's campaign is attacking Windows systems only. Its chief functions include scanning locations such as popular media folders for content and encrypting it (using ChaCha and AES), and adding 'CURATOR' extensions into the files' names. Essentially, such an attack creates hostages out of the user's movies, music, databases, documents and other work or general data.

Like most file-locking Trojans, the CURATOR Ransomware depends on a ransom note – a text file – to encourage victims to pay for the attacker's recovery assistance. The threat actor uses two disposable e-mails for negotiations and offers a one to three file demonstration as an added incentive. Malware experts point out that the instructions are copies of older Trojans' notes, and some phrases suggest connections to families like the AES-Matrix Ransomware. However, threat actors often 'borrow' each other's ransom messages, and the CURATOR Ransomware's genealogy requires more confirmation.

Stepping Back from Data-Curating Gone Wrong

Windows users shouldn't place all of their hopes in free decryption or data restoration. For most well-programmed examples of file-locking Trojans, such services are unavailable or limited. Malware researchers also discourage using the Restore Points as one's only backup; most Trojans of the CURATOR Ransomware's classification will delete them through background system commands. Saving a backup to a device such as another USB, or even to a cloud service, is, by far, the most useful data restoration solution.

Users also should invest in defensive measures that can prevent the CURATOR Ransomware infections from happening at all. Downloading illicit content, such as game cracks over torrents, increases home users' risks of exposure to file-locking Trojans significantly. Weak passwords are typical vulnerabilities that attackers crack and use for gaining access to servers or networks. E-mail attachments also are suspect particularly, and malware experts often connect attacks to fake invoices and other work-themed, corrupted documents.

While decryption for this campaign remains highly-theoretical, file-locking Trojans put much into obfuscating their code from security products rarely. Appropriate cyber-security suites and tools should block and remove the CURATOR Ransomware, along with the majority of similar Trojans.

The CURATOR Ransomware's curation is worth exactly nothing to anyone subjecting themselves to it, although the files that it targets could be of inestimable value. Windows users are self-segregating themselves into two classes: those who protect themselves from extortion and those who don't. Anyone would be wise to place themselves into the former category.

Loading...