GrujaRSorium Ransomware

The GrujaRSorium Ransomware is a file-locking Trojan that can block documents, pictures, or other media by encrypting them with both AES and RSA algorithms. Although its encryption is a hidden, background process, this program also creates a ransom-themed image that it may add to the desktop's wallpaper, along with loading a pop-up. Users should respond by ignoring the ransoming demands, having an anti-malware program uninstall the GrujaRSorium Ransomware, and using backups or free decryption solutions if they're needed.

A Trojan Eyeballing Its' Researchers

An update to a previous file-locker Trojan that didn't see much distribution is making fun of at least one member of the cyber-security industry. While the changes that the GrujaRSorium Ransomware includes only are cosmetic ones, they do show that threat actors are paying attention to who's analyzing their programs and impeding the black market industry of encrypting files and selling the decryptors. The GrujaRSorium Ransomware, also, could be in mid-development, since malware experts find other hints of its payload's being partially-completed.

Unfortunately, the encryption portion of the GrujaRSorium Ransomware is entirely functional, since its basis comes from an older, already-working Trojan. The feature consists of searching for media types like Word or PDF documents, 7z or ZIP archives, PowerPoint presentations, AVI or MOV movies, and encrypting them with both AES and RSA algorithms. Initially, this file-locking Trojan added 'aes' or 'aesed' extensions (a superficial similarity with the Cardsome Ransomware), but the GrujaRSorium Ransomware changes this text to 'GrujaRS,' the screen name of an independent cyber-security researcher.

The GrujaRSorium Ransomware also adds similar callouts and insults to its pop-up window, which tells the users that their files have become encrypted. As the last enhancement, malware experts saw the GrujaRSorium Ransomware dropping single image files on the desktop providing both a week-long deadline and an e-mail address for negotiating over the threat actor's decryption service. Future builds, if they adhere to the usual formats of these threats, may hijack the desktop's wallpaper and reset it to this picture.

Keeping Good Names from Acquiring Bad Meanings

Although its payload is being re-purposed as an insult against a security researcher, the GrujaRSorium Ransomware's attacks are similarly threatening to digital media as those of every other, functional file-locking Trojan. The possibilities of decrypting AES and RSA-based attacks without leaks or bugs are, unfortunately, minimal. Malware experts don't encourage assuming that a decryption utility for the GrujaRSorium Ransomware ever will become available, even after users provide relevant samples to the rest of the cyber-security industry, and keeping non-local backups should be regarded as your first resort.

Several infection methods are very prominent for file-locker Trojans like the GrujaRSorium Ransomware. Techniques worth expecting this year include exploit kits (threats running through your browser and taking advantage of not-patched or zero-day vulnerabilities), torrents with fake illegal downloads of premium products like video games, spam e-mails and brute-force attacks. The latter is a concern for network and server administrators, although most other infection strategies are preventable by having your anti-malware tools delete the GrujaRSorium Ransomware by default.

As the security industry examines threats like the GrujaRSorium Ransomware, threat actors are scrutinizing their enemies, in turn. Hopefully, this trend will remain limited to making fun of screen names instead of worse harassment kinds.