EnCiPhErEd Ransomware

The EnCiPhErEd Ransomware is a file-locker Trojan from the Xorist Ransomware family. As with most variants of that collective, the EnCiPhErEd Ransomware can block selected media files with its possibly-irreversible encryption, and create ransom notes, such as interactive pop-ups. Rather than paying the ransom, users should restore from backups, if possible, and let their anti-malware products isolate or delete the EnCiPhErEd Ransomware.

Extortion with User-Friendly Texting

The Trojan-fabricating kit of the Xorist Ransomware is out with a new build, months after older campaigns like the MCrypt2019 Ransomware, the MBRCodes Ransomware, the Vaca Ransomware and the PrOtOnIs Ransomware. This fresh release, by the name of the EnCiPhErEd Ransomware, showcases many of the old attacks of this family and ones competing with it, but also includes additional negotiating channels. The EnCiPhErEd Ransomware's incorporation of technology into the ransoming method might drive its profits up – or down.

The EnCiPhErEd Ransomware is a Windows threat that appends the default Xorist Ransomware extension of the 'EnCiPhErEd' to what it blocks. Users should anticipate locked formats, including ZIP archives, JPG pictures, AVI movies, Word DOC document and over a dozen others. This encryption uses XOR or TEA for its algorithm, and free decryptors for unlocking the media may or may not combine with the EnCiPhErEd Ransomware build.

The pop-up that the EnCiPhErEd Ransomware creates, along with its desktop wallpaper message, are the two points that malware experts find of interest. Both of them provide numbers for SMS messaging over the victim's phone, instead of traditional contacts like e-mails. The pop-up includes a password-based interface for recovering files that the Trojan locks additionally, although acquiring it, presumably, requires paying the ransom, first. While SMS options are unusual in file-locker Trojans, malware experts do see them in other threats' campaigns, such as the exploits of the Geost Botnet and the Joker Trojan's fake service signups occasionally.

Keeping Communication Channels Closed to Bad Faith Actors

The Windows-based nature of the EnCiPhErEd Ransomware narrows the potential pool of its victims minimally. On the other hand, malware researchers see more clear signs of its distribution exploits in some samples. Some, but not all versions of the EnCiPhErEd Ransomware's executable, are hiding as fake versions of WinRAR, a file compression and archive storage program. Avoiding torrents, malvertising, and non-official downloads may help victims with dodging EnCiPhErEd Ransomware's infections.

Although many variants of the Xorist Ransomware favor Russian victims, others target English speakers, like the EnCiPhErEd Ransomware. Any encryption attacks, generally, are capable of blocking files on any user's computer around the world – unless the threat actor inserts additional, unnecessary branching conditions, such as keyboard layout checks. All PC users, both casual and otherwise, should prepare backups on secondary devices for a last-resort recovery from file-locking Trojans and their associated media damages.

Most anti-malware products are identifying the EnCiPhErEd Ransomware cleanly and should experience few or no problems with removing the Trojan from Windows computers, or blocking the traditional drive-by-download exploits.

The Xorist Ransomware isn't a hard-to-use toolkit, and new byproducts of it aren't unexpected. What makes the EnCiPhErEd Ransomware different is its use of phone messaging technology, which shows that criminals will talk through any means available happily, as long as a result is them getting their money.