Ender Ransomware
Posted: October 9, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 84 |
| First Seen: | October 10, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Ender Ransomware is a screen-blocking Trojan that prevents you from accessing the TaskBar or other parts of the UI by blocking them with its pop-up feature. Although its pop-up messages state otherwise, current versions of the Ender Ransomware omit any data-encrypting features and can't lock your files individually. Although dedicated anti-malware products always may uninstall the Ender Ransomware either preemptively or after an infection, victims also may need additional steps for recovering access to the Windows interface.
Trojans Ending Your Access to Windows Imperfectly
Screen-locking features are an often seen, but not mandatory part of most Trojans campaigns trying to encode files and force their owners into paying ransoms. Such attacks are just as frequently accompaniments with fraudulent Trojans that have no intention of locking any digital content one-by-one but may pretend to do so, for forcing the user into paying. Whether the latest example, the Ender Ransomware, belongs to the former sub-category or the later remains to be seen.
The release of the Ender Ransomware available to malware analysts, for now, seems to be in a state of incomplete development. Its only attack feature of note is its ability to load an HTA window carrying an encryption alert in poor English, with numerous grammar mistakes and placeholder elements. Theoretically, the victim can click the provided button for further instructions on paying a ransom to acquire the 'encryption key.' Since the Ender Ransomware doesn't encode any documents or other files, the only purpose this code serves is for closing the pop-up.
Due to many file-locking Trojans also using screen-locker features in their payloads, the Ender Ransomware's author could intend to add actual data-enciphering attacks, in the future. Along with the feature already blocking the user's ability to open other programs or use the Windows interface, a non-consensual encryption function could prevent arbitrary types of media from opening, such as documents, pictures or spreadsheets. Trojans often add extensions to the names of any content that they hold hostage (such as '.ender').
Putting an End to Plunder without the Pain Backing It Up
While the Ender Ransomware's author has clear motivations of trying to profit off of locking arbitrary PCs out of Windows, its screen-locking feature is less challenging to override than the encryption algorithms of other Trojans that compete in the same, underground industry space significantly. Default shortcuts, such as Alt + F4 (for closing the in-focus program or window currently) can help users remove the pop-up temporarily, the Safe Mode feature can facilitate rebooting without loading this Trojan, and booting from a secondary drive also is a viable route for recovery. Traditionally, malware experts discourage paying the ransoms associated with similar attacks, which almost always use methods not subject to refund policies or customer protections.
The file data of current samples implies that the Ender Ransomware's campaign is attacking, not just English speakers, but also, residents of Finland. Unfortunately, malware experts have yet to confirm any live incidents of other threats dropping the Ender Ransomware, and the Trojan may use infection exploits that range from email attachments to brute-force attacks or torrents. Due to this Trojan's relatively high evasion rate within current detection protocols, updating your anti-malware software may be necessary for catching and deleting the Ender Ransomware immediately.
The Ender Ransomware could be content to be a screen-locking Trojan with lies piled on top of a relatively simple attack, or it could be a stepping stone that's soon will upgrade itself to worse attacks. No matter what the truth is, obeying a harmful program's advice will result in little other than enriching its author for taking the time to lock your PC.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.