Gr3g Ransomware
Posted: October 31, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 1/10 |
|---|---|
| Infected PCs: | 28 |
| First Seen: | October 31, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Gr3g Ransomware is a Trojan that blocks files on the infected PC so that it can later extort money from the user by selling the unlocking solution. Since the Gr3g Ransomware's encryption may not be curable without the threat actor's help, all users can best protect their documents and other files by backing them up to other devices. Anti-malware technology also can help delete the Gr3g Ransomware from the outset or after it starts attacking your computer's data.
A Remote Connection to File Trouble
At the tail-end of October, threat actors have just begun circulating a new Trojan with encryption-based, file-locking features. While the Trojan is using modified ransom notes collected from old sources and, most likely, is a derivative of another family of threats, malware experts have yet to identify its ancestry or encoding mechanisms beyond all doubt. Victims who download its installer, which is a fake Windows component, are left with the choice of paying the ransom on its TOR website or letting their files remain unusable.
The installation file for the Gr3g Ransomware is using a consistent disguise as a fake version of 'RASMAN,' or the Remote Access Connection Manager of Windows Server 2003 and 2008, with associated file data claiming that it's a product of a 'WinLAC Manager' company. When it runs, the Gr3g Ransomware generates a customized ID serial for the user and starts encrypting files with cipher malware analysts still are identifying. Although this encoding attack's most significant side effect is preventing other programs from opening the affected media, the Gr3g Ransomware also appends a new extension ('.libbywovas@dr.com.gr3g') onto their names.
Other symptoms may include blocked software, such as the Task Manager or Regedit programs, changes to your wallpaper, and, as usual for file-locking threats, the creation of a text message for the victim. The Gr3g Ransomware's texts ask the user to navigate to a TOR website for paying a ransom to buy the decryption software for restoring their files, and, otherwise, show generic contents copy-pasted from previous Trojan campaigns of the same category.
Keeping an Unwanted 'Greg' out of Your Files
While the Gr3g Ransomware is a likely candidate for circulation under traditional, Ransomware-as-a-Service (RaaS) style models, samples, for now, are offering limited information on their relationships, if any, with established families of threats like the Globe Ransomware and Hidden Tear. However, the con artists-sponsored, file-unlocking methods of threats like the Gr3g Ransomware provide no protection from fraud for the victim almost universally. Paying ransoms to unlock and decode your media should be left as a last resort, if considered at all, instead of reloading a backup or acquiring decryption help from the broader cybersecurity community.
Note that the Gr3g Ransomware's current installation disguise is a Windows component that is only pertinent to some versions of that platform, and not at all to non-Windows OSes. The legitimate version of the Rasman program also does not use data related to a 'WinLAC Manager' company, and this detail can be used to help identify a fraudulent executable. Malware experts do recommend using anti-malware products for uninstalling or blocking the Gr3g Ransomware safely, but this newly-emerged threat may require updates for some products to identify it.
One of the easiest ways to compromise your PC, or the files that you're saving on it, is to download software for its name, alone. Windows programs distributing themselves through unauthorized sources have a much better chance of being a file-locking Trojan like the Gr3g Ransomware than they do of being legitimate.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.