Devos Ransomware

The Devos Ransomware is a file-locking Trojan that's from the Phobos Ransomware's Ransomware-as-a-Service business. It includes expected symptoms and attacks for that family, such as blocking files, deleting backups, and presenting ransom demands with text and pop-ups. Users should let their anti-malware services uninstall the Devos Ransomware as soon as possible and have backups prepared for recovering inexpensively.

Fearing for Files Again in January

The Phobos Ransomware, the Greek-named family of file-locking Trojans, is maintaining its rigorous pace of new variants and campaigns up into the start of 2020. Threats like the Devos Ransomware and the Dever Ransomware are minor updates with few changes from the 'fobosamerika@protonmail.ch' Ransomware, the 'tedmundboardus@aol.com' Ransomware and the Barak Ransomware. Victims can refer to any other members of this family for a prelude of symptoms and dangers from infections, including, unfortunately, the loss of their files.

The Devos Ransomware – a potentially-confusing renamed spinoff of the Dever Ransomware – maintains characteristics that are typical of a Ransomware-as-a-Service, which blocks documents, pictures, and other files for money. The blocking procedure uses encryption, which, without unusual bugs or a server database leak, prevents victims from opening their files indefinitely. This Trojan's family also uses a somewhat generic renaming convention for the encryption, which leaves most of the filename unaltered, but adds a bracket-enclosed ID, an e-mail, and the Trojan's name (for instance: 'example.jpg[ID][e-mail].Devos').

Besides the encryption that's the foundation of any file-locking Trojan, the Devos Ransomware also:

• Generates advanced Web page pop-ups in the format of the Dharma Ransomware family.
• Leaves TXT files with ransoming information on the decryption service.
• Erases the Shadow Volume Copy-based backups.

Although this variant has an initial creation date of late 2019, malware experts are seeing no available samples until January 2020. The filenames in use for the executable also suggest threat actors using manual or other methods of installation that don't depend on victims opening the file directly, such as by mimicking a software update.

Putting Phobias to Bed Once Again

The unlocking routine for any data that the Devos Ransomware keeps hostage requires victim-specific encryption information. It isn't, as a rule, available to third-party security researchers – regardless of their competence. Users can try advanced data restoration utilities, but, in most cases, malware experts only see preestablished backups on unaffected devices being effective against file-locker Trojans and their sabotage of digital media. The Devos Ransomware may leave the operating system and similar software, unharmed, but will encrypt a majority of private or work-related content, including databases, archives, documents and pictures.

Preventing infections also requires some security habits that all users should follow by default. Unsafe downloads are a possible source of attack by the Devos Ransomware's campaign and include both specialized e-mail attachments, such as fake invoices, and impersonal downloads like torrents. JavaScript, Flash, Java, and Word and Excel macros also are possible infection vectors, ripe for exploitation for remote code execution, and other issues.

If no other defense suffices, anti-malware programs from most vendors will contain and delete the Devos Ransomware automatically. The same applies to different variants of the Phobos Ransomware and its original group of the Dharma Ransomware.

Ransomware-as-a-Service still is in a 'boom' phase, and getting to 'bust' is something that only the victims can control. Until users start protecting their files and stop paying, relatives of the Devos Ransomware will be a daily problem on the Web.