First Ransomware
Posted: January 5, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 56 |
| First Seen: | January 5, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The First Ransomware is a Trojan that blocks your files by encoding them, which con artists can use as a bargaining position for demanding ransom money. Along with being unable to use any content that the First Ransomware encrypts, symptoms of note may include pop-ups, additional text messages on your desktop, or filenames bearing new extensions. Block and delete the First Ransomware before it can install itself by enabling anti-malware protection, when appropriate, and keep backups to stop its encryption from causing any damage that you can't revert.
The First Ransomware: Far from a the First in Harmful Encryption Campaigns
The First Ransomware may be the First new version of Hidden Tear under confirmation for 2017, although the accessibility of the family's code makes it likely that soon it will have successors. Although the Trojan seems to be still in the early stages of development and deployment, it already shows inclinations towards encrypting a victim's data, creating ransoming messages, and making other system changes for social engineering purposes. For the time being, malware experts confirm at least two, separate builds of this threat.
The First Ransomware leverages an Advanced Encryption Standard algorithm to block your files, potentially preventing you from opening documents, audio, pictures or other data types. It also implements a File.Move command afterward which it may use for appending either '.krzysioka' or '.locked' extensions, depending on the Trojan's version.
Likewise, malware experts also observe two formats of ransom messages after the fact:
- The First Ransomware may generate Notepad TXT files that it places on your desktop or in the same folder as any encrypted data.
- The First Ransomware also may launch pop-up windows displaying skeleton-themed images and ransom demands with a built-in interface for paying 1.5 Bitcoins (1,462 USD) to recover your data.
None of the above functions are notably different in implementation from past file-encrypting threats, although the ransom cost is high, and may indicate that the First Ransomware's campaign aims for corporate entities.
Your First and Best Bet for Neutering the First Ransomware
The First Ransomware doesn't include the currently-popular feature of a live countdown before deleting your encrypted files or the decryption key but does threaten to do so after a two-day period. Although there are free decryption utilities for the Hidden Tear family, these tools are not always viable against new threats, which may require additional analysis for decrypting. Malware experts encourage any PC owners concerned about their data's safety to make generous use of backups, especially via peripheral devices and cloud services.
All symptoms of the First Ransomware infections are visible after the Trojan has succeeded in holding your files for ransom. Con artists receiving Bitcoin ransom money, as per the First Ransomware's recommendations, also have no incentive to honor their word (since this cryptocurrency transaction is non-refundable). Prevent any encryption damage in the first place by having your anti-malware programs monitoring possible security risks, such as e-mail attachments. Detection rates are varying wildly between different versions of this threat, but, in most instances, your updated anti-malware software should be able to remove the First Ransomware automatically.
With con artists finding it just as easy as always to re-purpose old threat projects for new attacks, PC owners will need to continue taking proactive data protection strategies against threats like the First Ransomware.