Montserrat Ransomware

The Montserrat Ransomware is a file-locking Trojan that can lock media on your PC, such as documents, images or music. Like most Trojans of its category, it also changes the file names with different extensions and creates ransom messages that sell its unlocking service. Users should be careful of backing their files up to places that a Trojan can't reach and use anti-malware products for deleting the Montserrat Ransomware as soon as possible.

A Poor Vacation Spot for What's on Your Computer

Whether they own a computer or not, many people dream of island vacations, and a new Trojan is tarnishing that ideal escape from life by collecting it for a name. The Montserrat Ransomware has a rather niche title that it borrows from a British territory in the Caribbean, but its attacks are far less discriminate, requiring only a compatible Windows environment. As the latest file-locking Trojan that's outside of the purview of families like the Globe Ransomware, the Montserrat Ransomware is an unexpected and unpredictable new proponent of extortion through encryption.

The Montserrat Ransomware uses a traditional, Registry-based persistence method with a mutex before getting to work. Its main feature is the data encryption, which it uses for locking files, targets media such as PNG images and Word documents, and includes various locations, such as the user's desktop. After blocking and renaming the data with the 'encrypted_backup' extension, it creates a ransom note on the desktop, an HTML file. Note that while the extension seems generic, malware researchers haven't encountered it in other file-locking Trojans' campaigns so far.

The ransoming instructions that the Montserrat Ransomware offers aren't very unusual for a Trojan of its kind. It gives the user a long ID, two free e-mail addresses for negotiating with the threat actor, and a minimal 'free trial' of the unlocking service. Because criminals don't always honor these negotiations, victims should attempt all other recourses before considering a ransom payment. Unfortunately, the relative newness of the Montserrat Ransomware means that no free, public decryptors for file recovery are available.

An Ironic Hiding Place for a Trojan

Although its disguise is subject to potential changes, right now, all samples of the Montserrat Ransomware are consistent in their file names and related credentials. These Windows programs imitate a 'Windows Backup Storage' service, complete with copyright information, albeit no signature. Such a choice gives the Montserrat Ransomware just enough plausible deniability for running in the background and locking files until the victim realizes what's wrong.

Besides holding out hope for a free decryptor's development, users also can exercise precautions that keep the Montserrat Ransomware from placing them in such a vulnerable situation. Saving backups to secured devices like cloud storage, using strong passwords, and avoiding unsafe download sources like e-mail attachments, torrents or ad-delivered links are all viable strategies. The Montserrat Ransomware is Windows-specific but, despite its name, shows no inclinations towards limiting its campaign's location to the namesake island.

Anti-malware products were struggling with identifying this new Trojan initially. However, detection rates are rising as vendors patch their databases, and most anti-malware tools should remove the Montserrat Ransomware safely by the time of this article's publication.

The Montserrat Ransomware is a casual entry into the book of file-locking Trojans, with mostly cosmetic differences between it and seminal examples like Hidden Tear. That doesn't make it less threatening, as anyone who forgets their weekly backup will find out quite quickly.