Home Malware Programs Ransomware Li Ransomware

Li Ransomware

Posted: September 27, 2019

The Li Ransomware is a new version of the Scarab Ransomware family, a group of file-locking Trojans. The Li Ransomware can block your PC's media, change their names, erase the local backups, and deliver ransoming messages. Users can save their files by keeping backups in less-vulnerable locations, by adhering to best practices concerning network security, and having anti-malware programs for spotting and removing the Li Ransomware.

The Bug is Back with an Investment Group's Name

The Ransomware-as-a-Service family of Trojans known as the Scarab Ransomware is one of the most highly-active for this year. Its attacks include both English and Russian-based extortionist messages, encryption for locking digital media and supporting features. The latest threat actor who's hiring it has a new variant, the Li Ransomware, which might be pretending that it's content from an investment bankers' organization.

The Li Ransomware's executable is using the name of 'Winlo,' a possible reference to the management group firm of that name. However, it also drops several components in an AppData\Roaming sub-folder, indicating that the Trojan is avoiding detection instead of tricking victims into running the installer directly. A successful infection provokes the same, AES encryption as that which malware experts saw in this Trojan's relatives (such as the Alilibat Ransomware, the Vally Ransomware, the French101 Ransomware, the Aztecdecrypt@protonmail.com Ransomware and the MVP Ransomware previously).

Along with the encryption that blocks the user's documents and other files, the Li Ransomware also overwrites their entire names with Base64 encoding and a 'li' extension. This feature keeps victims from identifying specific media that's 'imprisoned' effectively, while the Trojan demands its ransom. Like other Scarab Ransomware releases, the Li Ransomware's ransom note is a TXT message. It provides a personal identifier, a three-file trial, and e-mail addresses for the negotiations.

Don't Bank on Unlocking a Trojan's Hostages

The Scarab Ransomware family isn't compatible with decryption services that are available through the PC security industry's WhiteHat researchers frequently. Because the Li Ransomware uses a secure encryption method and also will issue commands for wiping the Restore Points, many victims will need to resort to non-local backups for reacquiring their files. By default, the Li Ransomware's family targets media such as Microsoft Office content, PDF documents, pictures and archives.

Network admins can use safe login choices and update server software as necessary for blocking any 'random' attacks by a Ransomware-as-a-Service threat actor. Malware experts also link some RaaS attacks to e-mail attachments, torrents or Exploit Kits running on compromised websites. Appropriate security protocols like not enabling macros, installing security patches, and declining illegal downloads are reliable defenses.

Anti-malware solutions specific to Windows systems should remove the Li Ransomware and most other members of its family in a majority of infection scenarios. The name on the Li Ransomware EXE is just a single breadcrumb in a broader trail for its RaaS campaign. Scarab Ransomware's offspring get around – with the help of computer users who aren't paying attention to their actions or files.

Related Posts

Loading...