'ihurricane@sigaint.org' Ransomware

The 'ihurricane@sigaint.org' Ransomware is a variant of the black market Stampado Ransomware product. Besides continuing to exploit encryption attacks for blocking a victim's files, the 'ihurricane@sigaint.org' Ransomware also installs itself through bundling with fully-functioning copies of anti-virus software. Despite its innovative installation disguise, most anti-malware products should be capable of detecting and deleting the 'ihurricane@sigaint.org' Ransomware initially, preventing any file loss.

A Tempest in a File Scanner

Although the phrase 'a tempest in a teapot' is used to convey a sense of exaggerated danger, some Trojans use concealed installation methods that are just as unexpected as a storm in a piece of dinnerware. These disguises can include mislabeling corrupted files with the filenames of friendly applications, crafting advertising content to look like update notifications, or, for the 'ihurricane@sigaint.org' Ransomware, even bundling themselves with real, non-threatening software.

The 'ihurricane@sigaint.org' Ransomware is a new release of the Stampado Ransomware most likely by a threat actor paying a premium for a rental or lifelong usage 'pass' of the program. It includes the usual data-encrypting attacks typical to threats of this type, which may block files such as documents or spreadsheets. The last symptom that the 'ihurricane@sigaint.org' Ransomware shows is a pop-up window containing dynamically-generated text with its ransom instructions. Other than offering an e-mail address to contact, the Trojan currently gives no additional information of note to its victims.

The 'ihurricane@sigaint.org' Ransomware's installation bundle is its most distinctive characteristic. The 'ihurricane@sigaint.org' Ransomware bundles itself with a third-party distribution of a freeware version of the AVG Antivirus, which installs after the Trojan. Malware experts note that the 'ihurricane@sigaint.org' Ransomware's encryption routine is sufficiently short that, by the time the anti-virus scanner finishes installing itself, many or even all of your files could be under the cipher-based lock.

Calming the Storm in Your Computer's Directories

As a derivative of a previously analyzed threat, the 'ihurricane@sigaint.org' Ransomware can include all of the Stampado Ransomware's past features potentially, including modifying filenames (such as inserting new extensions) or even deleting files. Its threat actor also gives an appearance of experimenting with alternate means of distributing the Trojan, such as disguising it as a Word plugin. Nearly two-thirds of most major AV brands currently detect the variant of the 'ihurricane@sigaint.org' Ransomware in distribution with the AVG anti-virus scanner.

Downloading software only from safe locations and avoiding often-compromised resources, such as piracy-oriented websites, can eliminate or reduce exposure to attacks like the 'ihurricane@sigaint.org' Ransomware's campaign. While the 'ihurricane@sigaint.org' Ransomware does include a real anti-virus application in its installer, due to the risk of harmful modifications, malware experts advise against using it for deleting the 'ihurricane@sigaint.org' Ransomware. As usual, victims will need to search for other software, such as free decryptors, to recover any content that they can't restore from a non-encrypted backup.

Assuming things about the files you're opening based on superficial appearances has never been an entirely good idea, and as the 'ihurricane@sigaint.org' Ransomware demonstrates, double-checking a file for its safety before opening it can never hurt more than it helps.

Technical Details