Efji Ransomware
The Efji Ransomware is a file-locking Trojan that comes from the Ransomware-as-a-Service family, STOP Ransomware. The Efji Ransomware blocks media files on Windows PCs, may delete backups or block websites and delivers ransom notes for selling its file-recovery help. Users with protected backups can recover for free after deleting the Efji Ransomware through credible security solutions.
Families Blocking Files with New Extensions by the Day
Rotating extension usage is a hallmark of a Ransomware-as-a-Service, consisting of dozens, hundreds, or even thousands of minor variants of the same core software. The campaign of the Efji Ransomware offers a demonstration of the simplest way of choosing an extension: with random alphabet characters. While seemingly unhelpful, the four-character string is a distinctive trait of its family: the STOP Ransomware.
The Ransomware-as-a-Service group of the STOP Ransomware, also called Djvu Ransomware from a very early variant, can circulate through torrents, e-mail spam, Exploit Kits, or brute-force attacks against weakly-password-protected targets. The Efji Ransomware may hide its installation exploit in a background process and, usually, doesn't require consent, besides enabling a macro or opening a seemingly-unrelated file. Like most Ransomware-as-a-Services, the Efji Ransomware prefers modern versions of Windows, which represent a majority of PC demographics.
The Efji Ransomware attacks systems through the following features, among others, which it shares with its other family variants:
It uses AES encryption with a key (internal, or a download from a Command & Control server) for securely locking the user's files. This encryption routine typically affects most documents, spreadsheets, pictures, music, and similar media and adds a cosmetic extension, such as the Efji Ransomware's 'efji.'
The Efji Ransomware can block websites by changing the Hosts file in Windows installations. This attack disables the user's access to security and AV vendor-related sites currently, such as microsoft.com.
The Efji Ransomware deletes the Shadow Volume Copies, eliminating the Restore Points as a recovery method for any files.
The Efji Ransomware creates ransom notes extorting money from victims. The templates change between variant notably, and the Efji Ransomware uses similar TXT and HTA files to relatives like the Foqe Ransomware, the NPPH Ransomware, the Nypd Ransomware and the Pezi Ransomware.
Plugging Up Unending Trojan Streams
While the Efji Ransomware's family is one long-since analyzed in-depth by malware researchers, its encryption security is, unfortunately, adequate, unless the family's maintainers experience a server leak or similar sabotage. The issue of paying ransoms for data recovery, as the Efji Ransomware's note demands, also runs into the danger of criminals sometimes not returning the services, even after a prompt payment. Additionally, the use of vouchers and cryptocurrencies (Bitcoin, Monero, etc.) raises more barriers against refunds.
In compensation, Windows users should attend to backup maintenance, with an emphasis on often-endangered media formats. Backups always should include one or more copies on non-local hardware, ideally, with login protection, such as a password requirement.
Malware experts also recommend against opening strange documents, enabling macros, turning on browser scripts (such as JavaScript) too readily. All of these vulnerabilities can expose users to drive-by-downloads through anything from the RIG Exploit Kit to a dedicated Trojan downloader. Weak passwords and illegal file-sharing behavior also correlates to this family's campaigns, to some extent.
Thankfully, most cyber-security products have no issues with identifying the many members of this Trojan's family. Containing and deleting the Efji Ransomware should happen effortlessly for any Windows environment with up-to-date anti-malware services active.
The extension is all that the Efji Ransomware has that's new for its family, besides unknown installation exploits. Without that last piece of the enigma in view, users shouldn't wait indefinitely before backing their files up, just in case they click on the wrong link.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.