Major Ransomware

The Major Ransomware is a new sample originating from the Xorist family of ransomware. Much like other similar ransomware threats, the hackers behind it are resorting to the usual tactics of distribution to reach more users. Ransomware of this kind is spread through the use phishing emails and deceptive websites containing malware. A lot of the samples may be spread via infected documents and application installers as well.

As soon as the ransomware threat infects a machine, it will begin encrypting important files the users may have on it. In this case, the Xorist family of ransomware has a modular framework that allows the Major Ransomware to be bundled with other kinds of malware or even legitimate software. One of the common strategies used is to start the infection with a data capture module, one used to extract any sensitive information the users may have passed through their computer. The collection is then done via an engine that retrieves the information through names and strings

The information may then be used by another module to disable security software capable of interference with the Major Ransomware infection. This may be done to firewalls, antivirus software and intrusion detection programs.

A lot of the Xorist-type ransomware samples much like Major ransomware are also programmed with the ability to delete sensitive data, such as backups, shadow volume copies and backups. In such cases restores will be impossible as long as the infection persists. Once the encryption is complete, the Major Ransomware will drop a ransom note called READ_ME.txt in a visible folder, which asks users to pay a ransom so they can get their files back. The files are renamed with the .major or .core extensions. Other possible names for the ransom note includes READ_ME.major and READ_ME.core. Users are advised to avoid paying any ransom, as there is no guarantee the threat actors will return the files to their original state.