Magician RSWware Ransomware
The Magician RSWware Ransomware is a member of the Stolich branch of the EDA2 family of file-locking Trojans. Threats of this category can keep your files from opening by encrypting them, and also may hijack your wallpaper and filename extensions, along with creating ransoming notes. Avoid the ransoming process, if possible, and have your anti-malware products quarantine or delete the Magician RSWware Ransomware safely before recovering your files by other means.
Magicians with Old Tricks Up Their Sleeves
Although Utku Sen is most known for the often-abused Hidden Tear project's source code notoriously, he also is responsible for EDA2, a similar, file-locker Trojan that criminals are using for data-sabotaging and ransoming attacks. Recently, some proof is appearing of a new version of the EDA2's Stolich branch. The Magician RSWware Ransomware uses most of the components of the first samples of Stolich available to malware experts for examination but includes just enough updating to rate classification as being a separate threat.
Most of the Magician RSWware Ransomware's code is identical to that of the Stolich project that any Web surfers can view on GitHub. Notably, this direct copying includes the placeholder ransoming address that transfers any collected funds to an FBI-seized SilkRoad wallet. Any live deployment of the Magician RSWware Ransomware will, most likely, update that address for pointing to a functional Bitcoin account.
However, other traits of the Magician RSWware Ransomware remain functional and capable of causing harm to an infected PC. The Magician RSWware Ransomware uses encryption (based off of an AES algorithm) for 'locking' different formats of files. Changes to the desktop's background, as well as the dropping of a Notepad message, give the user instructions on accessing the threat actor's website with the majority of the information on the ransoming process of transferring 0.033 Bitcoins for the decryptor.
Countering Bad Magic with the Mundane
Just like the other Stolich variant of the LMAOxUS Ransomware, the Magician RSWware Ransomware uses a secure encryption method, for which, malware researchers have yet to see a freeware decryption solution. Backups are essential means of counteracting attacks against a compromised PC's data, in particular, for documents, pictures, and other content that's at high risk. Paying the ransom (currently converting to over two hundred and forty USD) provides no insurance that the threat actor will decrypt your files in return.
The still-in-progress nature of its ransoming instructions makes it likely that the Magician RSWware Ransomware's campaign is in development and not, yet, ready for a release into the wild. Threat actors circulate file-locker Trojans like this one by spam e-mails or Web-browsing scripts frequently. Update your software and have your security software scan all new files for deleting the Magician RSWware Ransomware or its installer automatically. Like the original Stolich, the Magician RSWware Ransomware only impacts Windows PCs.
Most of the Magician RSWware Ransomware's changes involve re-branding itself, but its encryption is just as harmful as ever. Just because a Trojan's payload is a year old doesn't mean that it's stopped being threatening.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.