Home Malware Programs Ransomware ExecutorV3 Ransomware

ExecutorV3 Ransomware

Posted: September 29, 2020

The ExecutorV3 Ransomware is a file-locking Trojan that blocks media files and holds them for ransom after encrypting them. Current versions of the Trojan include bugs that make its ransom notes illegible. Users with backups can recover without paying, regardless, and typical anti-malware services should quarantine and remove the ExecutorV3 Ransomware adequately.

The Executor Aims His Ax the Wrong Way

It's not for nothing that Ransomware-as-a-Services are so popular, since the art of developing file-locker style software is fraught with various challenges. Samples of an independent threat, the ExecutorV3 Ransomware, display one of those issues: the need for filtering encryption targets appropriately. The Trojan attempts a standard 'sabotage and ransom' attack in its payload, but it also destroys its ransom messages while doing so.

The ExecutorV3 Ransomware is a .NET Framework program that's not a part of any family or previously-known Trojan resources like Hidden Tear or EDA2. In many cases, malware experts link its installation exploits to the presence of RAR-archived Trojan droppers that deliver it to the target system. Its prime features involve selecting digital media files for blocking with encryption, creating a series of text ransom notes, and adding a 'babaxed' extension to each captive file.

The ExecutorV3 Ransomware execution has several pitfalls. It creates unnecessary duplicates of its ransom note, and worse, encrypts them, too, making them unreadable. Samples available to malware researchers for analysis show that the texts ask for fifty USD in Bitcoins to a currently-empty wallet, with a throwaway e-mail for negotiations. These details are less high-end than the standardized methods of more-polished RaaSes. They imply that the Trojan is acquiring victims without much in the way of supporting infrastructure randomly, such as a TOR website service.

Axing Amateur-Hour Trojan Campaigns

The ExecutorV3 Ransomware fake copyright details imply that the Trojan's circulation involves a tactic for downloading an e-sports 'GameBuddy' or card game program. Users can curate their downloads by using officially-monitored storefronts, scanning files before opening them, and avoiding files with low reviews or ratings. Most cyber-security products will detect the ExecutorV3 Ransomware's executable, although detection rates are lower for its Trojan droppers, with an average of three out of every four products not flagging them.

Whether or not the ExecutorV3 Ransomware leaves behind its ransoming text messages correctly, users have their documents, pictures, and other media at risk from its encryption routine. Appropriate backups on different storage devices are integral to avoiding extortion from file-locking Trojans of any type. Windows users are the only ones endangered by the ExecutorV3 Ransomware's campaign, but threats with virtually identical features also appear on macOS and Android.

Users can protect themselves from infections with dedicated anti-malware software, which should block this Trojan's installers, and remove the ExecutorV3 Ransomware, as necessary. As always, disinfection doesn't restore encrypted files.

The ExecutorV3 Ransomware is a hastily cobbled-together program that does what it intends a little more generously than its author, presumably, desires. The result for a victim isn't any different, though, except with even less hope for data recovery in any meaningful sense.

Loading...