DecService Ransomware
The DecService Ransomware is a file-locking Trojan that uses the AES encryption for blocking documents and other formats of media. Its attacks may include other symptoms, and malware researchers are confirming its use of a ransom note that misrepresents its data-encrypting method. Have your anti-malware tools remove the DecService Ransomware appropriately before taking any other, necessary actions for retrieving or unlocking the files that it damages.
Imaginary Algorithms for Real Data Crimes
A file-locker Trojan that, ordinarily, would be of little note relative to any variant of Hidden Tear or the Scarab Ransomware is showing an unusual choice of phrasing in its ransom note. Besides most of the conventional techniques that it shares with the other threats of its classification, the DecService Ransomware inserts incorrect information regarding its data-enciphering routine for the victim's reading. Such a social engineering tactic is, probably, no more than the threat actor's attempt at making the Trojan seem secure without doing any of the associated work.
The DecService Ransomware attacks documents, spreadsheets, compressed archives, music, and other media formats by running a background process that searches for and encrypts these files. Once the data is encrypted and, therefore, 'locked,' the DecService Ransomware creates a follow-up Notepad message to the user. Most of this text is a copy-paste from other file-locker Trojans' campaigns, but the DecService Ransomware does have one unusual change: claiming that it's using an AES-512 encryption method. Since AES algorithms cap their key sizes at 256, this claim is impossible. Malware experts are speculating that the author chose '512' to make decryption seem difficult since higher key sizes increase the complexity of the solution.
Any other side effects of the DecService Ransomware's payload are unknown, as of early December. However, malware analysts regularly caution that the majority of file-locker Trojans can delete locally-stored backups, as well as disable useful security features like Safe Mode or the Registry Editor, and hijack the user's desktop wallpaper.
Cheap, File-Preserving Service with a Smile
The DecService Ransomware could circulate through torrents, exploit kit-hosting websites or an ad network with malvertising content, which require some degree of the victim's poor security habits for successful installations. Less obviously, some victims may endanger their systems by using logins that are at risk for brute-forcing, such as by using a guessable password like 'admin1.' In many infection scenarios, malware experts track the breaches back to spam e-mails, such as an attachment that's pretending that it's a fake invoice.
Although most PC security products with any significant threat-detection features should identify the DecService Ransomware, unlocking your files isn't guaranteed, whether or not you pay the ransom. Always back up work of any value to another system or storage drive for safekeeping, and update it regularly. Anti-malware programs may disinfect your PC and remove the DecService Ransomware safely, but can't restore any files to which the DecService Ransomware has wiped the local backups.
The DecService Ransomware isn't the only Trojan that lies about how it blocks your media, but most threat actors prefer falsehoods with some degree of credibility. The unprofessionalism of the DecService Ransomware's payload banks on the assumption that its victim knows nothing about cryptography, which, hopefully, isn't a bet in its favor.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.