Kerkoporta Ransomware
Posted: October 30, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 7 |
| First Seen: | October 30, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Kerkoporta Ransomware is a Trojan that includes features for ransoming the victim's files after it locks them, taking remote control of the infected PC, and blocking the screen with pop-ups. The risks of the Kerkoporta Ransomware infections include the possibly permanent loss of any media that it locks, as well as privacy and security issues from a remote attacker having access to your files, settings and software. Users who believe themselves to be affected should disconnect from the Internet as soon as possible and have anti-malware utilities ready to uninstall the Kerkoporta Ransomware.
How to Patch Windows into Attacking Your Files
Greece is the home ground of what may be a campaign of Trojan attacks that appear to be not only damaging files for ransom money but also creating vulnerabilities that could give the effective control of the PC to external threat actors. The multi-purpose the Kerkoporta Ransomware includes features for blocking the user out of the GUI, turning system access over to another user over a network, and renaming files. Current releases of the Kerkoporta Ransomware that are available to malware analysts show an absence of any encryption-based, file-locking feature, which may be the next thing its authors add to the payload.
The Kerkoporta Ransomware, whose name translates from Greek to 'backdoor,' is installing itself after a download trick of pretending to be an update for Windows. After the installation, it adds the '.encryptedsadly' extension to files that fit its internal list of formats and locations to attack, which can include Word documents, Excels spreadsheets, etc. Since this early version of the Kerkoporta Ransomware doesn't use any data-encoding algorithms, users can change the extension to default without needing to use a decryptor. However, while it does the above, the Kerkoporta Ransomware also commits other attacks.
The Kerkoporta Ransomware blocks the user's desktop access by creating a screen-sized HTA pop-up, which carries its Greek (and, optionally, English) ransoming instructions. Its default ransom message asks for the PIN of a 100 USD value Amazon gift card before restoring your theoretically blocked media. Meanwhile, the Trojan also attempts a network connection to a Command & Control server, possibly allowing a con artist on the other end to control the PC via a GUI panel or text commands.
Nailing Greece's New Backdoor Shut
While most PC users are likely to be distracted by its ability to lock out the desktop and, potentially, some formats of their digital media, the Kerkoporta Ransomware also could be exploited as a RAT for much more flexible attacks. Threat actors may use the Kerkoporta Ransomware's network-based features for changing your system settings, disabling your security software, or installing other threats, such as keyloggers or banking Trojans. This additional function makes even the incomplete version of the Kerkoporta Ransomware into a high-level threat that's readily capable of escalating an infection into a worse security issue than its symptoms might imply.
Without an update to give more data on its possible data-locking methodology, malware researchers only can recommend keeping backups that nullify any media-ransoming attempts from this threat. Cloud or peripheral device-based storage options are less at risk of being deleted than local content significantly, especially since the Kerkoporta Ransomware could allow con artists to erase content manually. Disabling network access also should be a priority during any disinfection attempt. Few anti-malware products are detecting and removing the Kerkoporta Ransomware accurately, and users should update the threat databases on any, relevant security software for maximum protection.
What a Trojan shows to its victims is rarely all that is there to see. While the Kerkoporta Ransomware keeps users busy with its ransoming antics, its authors may be up to causing even worse problems.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.