EKING Ransomware

The EKING Ransomware is a file-locking Trojan that's a variant of the Phobos Ransomware. The EKING Ransomware uses a custom encryption method for blocking media on the PC while also deleting backups and disabling associated security or file management tools. Users with secure backups on other devices should have no recovery issues, and cyber-security products should counteract attacks and remove the Trojan.

The Document Fakeout that Drops Trojans after the Fact

Macros and other 'advanced' document or spreadsheet content tend to figure in many file-locking Trojans' campaigns. Thanks to the numerous exploits possible through such attacks, users often infect their computers by perusing a fake invoice or another phishing lure. However, the Trojan, a new version of Phobos Ransomware, is stepping up the game with a fakeout that distracts users from the invisible attack that breaches the system's security.

The Trojan's campaign uses Word documents, presumably, through e-mail attachments, as the infection vector. All the document's 'content' is unavailable for viewing due to an advanced content-style decryption request. In most drive-by-downloads, victims enabling this content through the prompt will trigger the attack. In the Trojan's case, it's a mere distraction. While there is a corrupted macro, it starts whenever the user closes the document, making the Trojan infections less thwartable than many previous examples.

The Trojan's family of the Phobos Ransomware, although only a year old, is a spinoff of the older Crysis Ransomware group and contains many features typical to that family. Examples of campaigns from the same source include the Adage Ransomware, the Isos Ransomware, the Caleb Ransomware and the Eight Ransomware. The initial analysis from malware researchers re-confirms that the Trojan variant continues with traditional attacks of its family, including:

• AES in CBC mode encryption (in the Trojan's case, with a customized function) blocks media files from opening, protected by a secure key.
• A drive-finding feature detects new storage devices, such as USBs automatically, and accessible network-shared drives, which it also encrypts.
• A Restore Point or Shadow Volume Copy deletion feature.
• Auto-termination of security processes, like the Windows Firewall or file management (for maintaining access to files for blocking them).
• The creation of HTA and TXT ransom notes, the former of which it loads as a pop-up alert. The attackers solicit ransom money for the decryption and file-unlocking service only them can provide through these notes.

Keeping Trojans from Playing King Over Your Files

By far, the most intriguing characteristic of the Trojan's campaign is the initial installation attack, which flows through a spreadsheet and PDF document before, eventually, downloading the Trojan from the threat actor's server and installing it. That enabling the document macro is unnecessary makes victims even more at risk from the Trojan's campaign than the average attack that uses 'advanced content' that requires overt, if misinformed, consent. As such, malware researchers recommend against opening any documents from suspicious e-mails or other unsafe sources. Users who open suspicious files should, at a minimum, scan them for threats and update their document reader software for vulnerability patches.

The Trojan's payload's main thrust, blocking files for a ransom, is a long-known cliche among Phobos Ransomware's family. Users should protect their files preemptively by saving backups with adequate security, such as password protection, onto other devices. Victims also should remain alert to the Trojan's potential disruption of features like Windows Startup Repair and boot-up warning messages.

Along with backups, all users can protect themselves with traditional cyber-security products. With such protection, there are multiple elements of this Trojan's campaign that may grind to a halt, such as its document, its download URL, and numerous stages of trojan droppers. Windows users also can disinfect their PCs and remove the Trojan with similar services.

The installation point is the weakest but most necessary step in any trojan's campaign. As long as users pay sufficient attention, they still may stop the Trojan from taking hold of their files, even if it requires a little more due diligence than usual.