Home Malware Programs Ransomware Decme Ransomware

Decme Ransomware

Posted: November 23, 2020

The Decme Ransomware is a file-locking Trojan that comes from the VoidCrypt Ransomware (or Void Ransomware) family. The Decme Ransomware can block digital media files such as documents with its encryption routine while demanding a ransom through extension changes and pop-ups. Users should save their backups to secure locations for restoring any work and have a dedicated security service uninstall the Decme Ransomware from infected PCs.

Watching the Void Expand Over More Files

Further cases of variations on the theme of the file-locking Trojan, the VoidCrypt Ransomware, make it evident that multiple threat actors regard it as a useful alternative to the more popularized Ransomware-as-a-Services on the dark Web. Samples of the Decme Ransomware date back to October of 2020, maintaining campaigns alongside a sparse collection of relatives, such as the Spade Ransomware, the Peace Ransomware, the Konx Ransomware or the Exploit Ransomware. Like them, the Decme Ransomware innovates neither its ransom note nor its attack plan but relies on dependable strategies of extorting money by walling off PCs' data.

The Decme Ransomware is a Windows threat that runs on most OS versions but includes some features that target server-based environments, such as a process-terminating feature for SQL server tools. The bulk of any danger to users lies in its encryption, which blocks files from opening with a preference for commonplace media like documents. The Decme Ransomware also, as is the standard of the day, adds ransom-related details as extensions on the files' names.

Malware researchers find most file-locking Trojans engaging in deleting locally available backups, such as the Restore Points regularly. The Decme Ransomware continues this trend, stopping victims from restoring too conveniently and adding more pressure on its payload's extortion side.

Getting Some Light in a Void of Media Disruption

The Decme Ransomware uses a recycled version of the family's most-common note, an HTA pop-up, for asking for its ransom, along with offering a 'free demo.' The threat actor's address also includes an unusual degree of future-proofing by referencing 2021, a possible clue of how long the Decme Ransomware will remain out in the wild. There isn't freeware decryption for the Decme Ransomware – despite its code being a well-known GitHub project. Users' best chances of recovery involve having non-local backups rather than risking a ransom.

Samples of the Decme Ransomware use randomly-generated names, and malware researchers see no evidence of its current infection methods. Server-based infiltration exploits may use brute-forcing against weak passwords. Other avenues include e-mail phishing lures imitating workplace documents or more direct approaches that compromise a server through out-of-date vulnerabilities. Admins should follow all of the usual security guidelines, such as using sophisticated login credentials and installing security patches.

Reputable PC security services should flag this Trojan as a threat without problems. Because the installation tampers with some Windows components arbitrarily, users should depend on dedicated anti-malware tools to delete the Decme Ransomware.

Far from being empty like its namesake, Void Ransomware's family is growing strong, with entities like the Decme Ransomware appearing not-infrequently. Any file-locking Trojan, open-source or not, is at its worst against those who don't back their files up, and Windows users who don't wish to be a bullseye in the Decme Ransomware's campaign should take heed.

Related Posts

Loading...