LMAOxUS Ransomware
Posted: April 7, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 21 |
| First Seen: | April 6, 2017 |
|---|---|
| Last Seen: | December 30, 2019 |
| OS(es) Affected: | Windows |
The LMAOxUS Ransomware is a variant of EDA2, an open-source Trojan that encrypts your files and uses various methods of displaying messages for ransoming them. Standard data redundancy practices like using cloud-based backups can reduce the potential for this Trojan to cause any harm that you can't reverse. Currently, the Trojan is distributing itself as fake gaming software downloads, although standard anti-malware solutions can delete the LMAOxUS Ransomware automatically with few issues.
Little to Laugh at with Hijacked Project Forks
Those who follow the underground industry of file-encrypting threats even passingly will know that Utku Sen's EDA2 and Hidden Tear projects have been code resources lucrative financially for con artists. 2017 is starting to see even more activity on this front through a split in EDA2: the Stolich project, which consists primarily of EDA2 with some encryption vulnerabilities removed. Although Stolich's author seems unaffiliated with any live attacks, another threat actor is deploying it under the name of the LMAOxUS Ransomware, with updated ransom-processing infrastructure.
Like Stolich, the LMAOxUS Ransomware omits the backdoor that helped security researchers gain access to the software's decryption keys previously without the threat actor's help. The LMAOxUS Ransomware uses the AES-256 to encode the files on any infected PC, such as documents, archives, or images and injects the '.lmao' extension into their filenames. Other symptoms and features that malware experts are confirming include:
- The LMAOxUS Ransomware uses a trial version of the CryptoObfuscator program to conceal its code from some security solutions, although its current impact on detection rates can be said to be ineffective.
- The LMAOxUS Ransomware hijacks your wallpaper for displaying a custom warning message for its campaign.
- The same wallpaper also redirects the reader towards a text file the LMAOxUS Ransomware places on your desktop, which, in kind, reroutes towards a custom Web page. The Trojan's author uses this page for providing his Bitcoin wallet address, for collecting ransom payments, and an e-mail address, for negotiating on the decryptor ostensibly.
Mining Your Way out of Extortion
Ample, public evidence is discernible regarding both the LMAOxUS Ransomware's current stages of development and its overall ancestry, which flows back through Stolich and ends at EDA2. The coder responsible for Stolich may not be the same as the threat actor deploying the LMAOxUS Ransomware necessarily, which malware experts judge as being the work of an independent con artist borrowing the Stolich's code. The use of this particular branch of EDA2 makes it more difficult for security researchers to retrieve essential decryption data, underlining the value of having backups against such attacks.
Another detail worth mention in the LMAOxUS Ransomware's early stages of deployment is its bundling with a Minecraft launcher. PC users interested in playing the game without paying may infect themselves after installing the LMAOxUS Ransomware from a torrent or a software piracy-promoting website. Since the launcher seems to be functional, the LMAOxUS Ransomware's author provides his Trojan with a window of time to deploy its encryption attacks before the user notices anything amiss.
Questionable downloading habits aside, all PC users should back up their files habitually to reduce the profitability of file-encrypting Trojans like this latest re-release of EDA2. While most anti-malware products can identify and remove the LMAOxUS Ransomware with relative ease, malware experts can't say the same for the AES-encoding damages that it causes to your innocent files.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.