Fenrir Ransomware
Posted: July 10, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 44 |
| First Seen: | July 10, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Fenrir Ransomware is a Trojan that uses the AES encryption to lock your files while it asks you to pay ransoms through its pop-ups, images and text instructions. Victims may turn to anti-malware researchers for free decryption help or use backups to restore their content from clean copies. Malware experts recommend using automated anti-malware defenses to block or remove the Fenrir Ransomware, which will install itself in the disguise of another program usually.
Wolves Attacking Your Files with Jokes Thrown In
There's no room for laughs in the deadly serious business of extortion, but at least one threat actor is finding the time to include gags in the payloads of his new Trojan. This threat, the Fenrir Ransomware, uses a file-locking routine that includes encryption and inserting new extensions into their names. However, while it's showing the expected symptoms of a Trojan of its kind, the Fenrir Ransomware also is conducting behind the scenes logging activities with a sense of humor.
By the apparent evidence, the Fenrir Ransomware is an independent program and not a relation of any known threats like Hidden Tear, the Jigsaw Ransomware or the Globe Ransomware. Its primary executable disguises itself as an Adobe Reader program while gaining initial system access, after which the Trojan commences encrypting media like documents and pictures. Although the Fenrir Ransomware does insert new extensions into the names of all files that it locks, these additions aren't static strings, and consist of varying, ten-character hexadecimal hashes (for instance, '.A12b34cd5e' or '.1BC23D4EF5').
Other symptoms of the Fenrir Ransomware infections include the various means by which it provides its ransom demands for the file-unlocking decryptor, such as a desktop-hijacking image, an interactive pop-up window and an RTF document. However, malware experts identified its more interesting feature as being its logging capability, which outputs information about each infection to a remote server. Bizarrely, the threat actor has chosen to redirect all server traffic to the Twitter profile of a prominent anti-malware researcher, apparently as a joke.
Calming the Appetite of Gluttonous Beasts
While the Fenrir Ransomware uses the intimidating name of a mythical monster known for heralding the end of the world with its appetite, this Trojan's encryption feature is more vulnerable than the brand would seem to indicate. Victims can try contacting appropriate researchers in the anti-malware industry for help with developing a decryption tool compatible with their blocked media. Malware experts recommend this solution or using a backup particularly, instead of paying the ransom, which uses Bitcoins to prevent refunds.
Current samples of the Fenrir Ransomware all pretend to be part of an Adobe Reader installation routine, which could circulate through fraudulent update prompts from compromised or toxic websites. Many anti-malware products can identify attacks of these nature and block them or the URLs hosting them. Stopping and removing the Fenrir Ransomware before it starts attacking your files remains the best method for protecting your PC and preventing any chance of incurring permanent data loss.
Even a surface level of familiarity with the anti-malware industry can help some threat actors gain forewarning on how to defend their threats against standard detection methods. So far, the Fenrir Ransomware seems to use its C&C features only for frivolous purposes, which, perhaps, is for the best.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.