Home Malware Programs Ransomware Kerkoporta Ransomware

Kerkoporta Ransomware

Posted: October 30, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 7
First Seen: October 30, 2017
OS(es) Affected: Windows

The Kerkoporta Ransomware is a Trojan that includes features for ransoming the victim's files after it locks them, taking remote control of the infected PC, and blocking the screen with pop-ups. The risks of the Kerkoporta Ransomware infections include the possibly permanent loss of any media that it locks, as well as privacy and security issues from a remote attacker having access to your files, settings and software. Users who believe themselves to be affected should disconnect from the Internet as soon as possible and have anti-malware utilities ready to uninstall the Kerkoporta Ransomware.

How to Patch Windows into Attacking Your Files

Greece is the home ground of what may be a campaign of Trojan attacks that appear to be not only damaging files for ransom money but also creating vulnerabilities that could give the effective control of the PC to external threat actors. The multi-purpose the Kerkoporta Ransomware includes features for blocking the user out of the GUI, turning system access over to another user over a network, and renaming files. Current releases of the Kerkoporta Ransomware that are available to malware analysts show an absence of any encryption-based, file-locking feature, which may be the next thing its authors add to the payload.

The Kerkoporta Ransomware, whose name translates from Greek to 'backdoor,' is installing itself after a download trick of pretending to be an update for Windows. After the installation, it adds the '.encryptedsadly' extension to files that fit its internal list of formats and locations to attack, which can include Word documents, Excels spreadsheets, etc. Since this early version of the Kerkoporta Ransomware doesn't use any data-encoding algorithms, users can change the extension to default without needing to use a decryptor. However, while it does the above, the Kerkoporta Ransomware also commits other attacks.

The Kerkoporta Ransomware blocks the user's desktop access by creating a screen-sized HTA pop-up, which carries its Greek (and, optionally, English) ransoming instructions. Its default ransom message asks for the PIN of a 100 USD value Amazon gift card before restoring your theoretically blocked media. Meanwhile, the Trojan also attempts a network connection to a Command & Control server, possibly allowing a con artist on the other end to control the PC via a GUI panel or text commands.

Nailing Greece's New Backdoor Shut

While most PC users are likely to be distracted by its ability to lock out the desktop and, potentially, some formats of their digital media, the Kerkoporta Ransomware also could be exploited as a RAT for much more flexible attacks. Threat actors may use the Kerkoporta Ransomware's network-based features for changing your system settings, disabling your security software, or installing other threats, such as keyloggers or banking Trojans. This additional function makes even the incomplete version of the Kerkoporta Ransomware into a high-level threat that's readily capable of escalating an infection into a worse security issue than its symptoms might imply.

Without an update to give more data on its possible data-locking methodology, malware researchers only can recommend keeping backups that nullify any media-ransoming attempts from this threat. Cloud or peripheral device-based storage options are less at risk of being deleted than local content significantly, especially since the Kerkoporta Ransomware could allow con artists to erase content manually. Disabling network access also should be a priority during any disinfection attempt. Few anti-malware products are detecting and removing the Kerkoporta Ransomware accurately, and users should update the threat databases on any, relevant security software for maximum protection.

What a Trojan shows to its victims is rarely all that is there to see. While the Kerkoporta Ransomware keeps users busy with its ransoming antics, its authors may be up to causing even worse problems.