Home Malware Programs Ransomware encS Ransomware

encS Ransomware

Posted: April 9, 2020

The encS Ransomware is a file-locking Trojan that's an update of the DeathHiddenTear Ransomware. The encS Ransomware blocks files like documents using encryption, changes their extensions, and leaves ransom notes in the user's C drive. Users should always have regularly-updated backups for recovering blocked media and may use professional anti-malware services for removing the encS Ransomware as safely as possible.

Hidden Tear Gets a Revamped Meaning

A minor file-locking Trojan, the DeathHiddenTear Ransomware, is updating itself with fresh encryption and ransoming cosmetics for its new attacks. Although the Trojan isn't a relative of Utku Sen's Hidden Tear software, definitively, it shows many similarities in behavior to that old project, which carries over into its new build. The encS Ransomware is the latest name for the threat, complete with possibly-secure encryption for asserting ownership over victims' files.

The encS Ransomware is a Windows program and follows most of the normal behavior for a file-locking Trojan in such environments. It blocks media (PDFs, DOCs, JPGs and XLSXs are verifiable examples) by encrypting each file's data and, then, changing their extensions by adding a new one onto the filename's end. Different builds of the encS Ransomware may use 'encL' for an extension, but malware experts are seeing more samples using 'encS,' hence the name.

After capturing the user's work successfully, the encS Ransomware leaves a ransom note, a TXT file, in the base C directory. The letter is short relatively, by the standards of file-locker Trojans, but gives some minimal instructions on paying a ransom for the unlocker that the threat actor retains. However, this process isn't automated, and criminals may take their money and ignore requests for further help at any time.

What Else a Trojan may Get Up to Out of Sight

While many victims concern themselves with 'only' the loss of their work, the encS Ransomware and other file-locking Trojans tend to conduct additional, less-visible attacks, as well. Although malware researchers can't verify the typical deletion of the Restore Points, they confirm that the encS Ransomware is wiping Registry-based proxy and intranet settings. Doing so makes the encS Ransomware more appropriate for compromising unprotected multi-machine environments, such as a business's internal network.

Despite this significant clue of its presumed targets, current samples of the encS Ransomware are giving inadequate evidence of their circulation exploits. They could be using targeted e-mail phishing, random torrents, or watering hole-based attacks on hacked websites. Disguised droppers such as documents with macros are highly-likely for file-locking Trojans of most origins.

Anti-malware products can't unlock files. The Trojan has yet to appear outside of Windows environments, with Windows 10 users being most at risk.

The encS Ransomware is a subtle yank in the tug-of-war between threat actors and the cyber-security industry. With decryptors always being iffy propositions, victims should place more hopes in responsible backups than in undoing near-permanent damage.

Loading...