LordOfShadow Ransomware
Posted: October 25, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 6 |
| First Seen: | October 25, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The LordOfShadow Ransomware is a variant of the Hidden Tear Trojan, a program created for demonstrating the methodology of ill-minded, file-locking attacks via encryption. Victims of the LordOfShadow Ransomware infections may anticipate symptoms that include changes to the extensions of their locked files and new, ransom-related text messages. Although removing the LordOfShadow Ransomware always should be delegated to appropriate anti-malware programs, additional decryption software or backups are mandatory for recovering any damaged media.
Throwing Shade Where It Doesn't Belong
As more con artists get their hands on the working code from Utku Sen's Hidden Tear, more Trojan campaigns are launching with the intent of targeting different parts of the world for data-locking attacks. Brazil is one of the focal points experiencing frequent victimization through these harmful efforts, which are starting to supplant the country's previous history of vulnerability to banking Trojans and financial spyware. One Trojan operative in this region, the LordOfShadow Ransomware, is delivering its attacks with almost no additional information, besides getting the victim into contact with the threat actor.
The LordOfShadow Ransomware doesn't depart from the AES-based cryptography of past versions of Hidden Tear, and, like most HT variants, conducts the file-locking attack without any overt displays of symptoms. Malware researchers most often see particular formats of data damaged by these attacks, including Word documents, Excel spreadsheets, GIF or JPG pictures, and Adobe PDFs, for example. The LordOfShadow Ransomware also appends a 'lordofshadow' extension to the names of each file that it encodes and locks.
The LordOfShadow Ransomware also includes a function for generating a Notepad 'readme' style file for the user, which offers some simple ransoming instructions in Portuguese. However, the contents of the message contain little information, besides a generic warning and a recommendation to get help from the threat actor's e-mail address. Refraining from providing any further details could be a means of giving the con artist a strong bargaining position for ransoms, which may vary in expense or transaction method (such as cryptocurrencies like Bitcoin).
Dethroning Self-Proclaimed Lords of Extortion
The LordOfShadow Ransomware campaign may be establishing a brand identity with a grandiose title, but has no updates or extra features of significance, in comparison to other Trojans using the Turkish Hidden Tear's resources for extortionist purposes. Victims may be able to recover any blocked and encoded files with appropriate decryption software and should contact specialists in the anti-malware industry, if required, instead of paying ransoms or following other demands. For the safest recovery from attacks of this class, malware experts always emphasize keeping spare backups that Trojans are incapable of deleting or encrypting.
Brazil-based Trojan campaigns often use forged e-mail messages for compromising other PCs, which could disguise the payload as being a news article, invoice, or a package delivery notice. Since this Trojan's author has inserted no additional obfuscation features, any anti-malware application already capable of detecting Hidden Tear also should delete the LordOfShadow Ransomware, by default. Like other members of its family, the LordOfShadow Ransomware is only compatible with the Windows OSes and uses an executable of less than one megabyte.
The most direct solution to the LordOfShadow Ransomware's campaign is to include making backups into your daily routine, whether you're securing work-related content or personally-important media. While the LordOfShadow Ransomware isn't a professionally-crafted threat, readers can think of its Hidden Tear-based payload as being threatening in the same way that an untrained attacker still can be threatening with a firearm.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.