My Decryptor Ransomware
Posted: October 17, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 2/10 |
|---|---|
| Infected PCs: | 9 |
| First Seen: | October 17, 2017 |
|---|---|
| Last Seen: | January 10, 2019 |
| OS(es) Affected: | Windows |
The My Decryptor Ransomware is a family of Trojans that lock media, such as documents, with targeted attacks so that their threat actors can receive ransom for giving the victims the unlocking solution. Precautions against the My Decryptor Ransomware attacks should focus on backing up any content deemed of value to the user, as well as avoiding insecure password usage and scanning new files with threat detection technology. Because this Trojan causes its damage without alerting the user, vulnerable PCs should use anti-malware programs for deleting the My Decryptor Ransomware immediately.
Tracking the Anonymous Domains of Modern, Data-Locking Attacks
The key pillars setting Ransomware-as-a-Service and equally advanced business models apart from unseasoned 'script kiddy' threat actors include more than just the payloads and immediate features of Trojans, but also their support infrastructure. The differences are obvious with how different the con artists choose to implement TOR-based ransoming protocols especially, which often rely on cryptocurrencies for enhancing their anonymity and the threat actor's safety. Only recently, a new family of file-locking Trojans, the My Decryptor Ransomware, is coordinating its website traffic in such a way as to imply both niche-targeting of its victims and high overall traffic rates.
Despite its unusual level of network organization, the My Decryptor Ransomware uses traditional, AES encryption-based attacks for locking arbitrary media on the victim's PC. Any files that the My Decryptor Ransomware locks are encoded to prevent other applications from reading their data correctly, which the My Decryptor Ransomware helps identify by adding an extension of seven semi-random characters (such as '.kgpvwnr'). The encryption process also injects a 'customer' ID number into the file's internal data.
Although the My Decryptor Ransomware uses a traditional, text-based ransom note to reroute all victims to its TOR ransom-processing site, this site provides different sub-domains for each victim. According to their ID numbers, victims may track their Bitcoin payments, which, depending on the response time, may require up to over two thousand USD value to buy the threat actor's file-unlocking decryption service. Malware experts often see broadly similar ransom-processing methods from other families of Trojans, although the division of traffic between custom sub-domains is, at this date, unique to the My Decryptor Ransomware and its variants.
Cheapening the Experience of Digital Media Recovery
Both the cost and somewhat non-traditional organization of the My Decryptor Ransomware's extorted payment substructure suggest that its authors are launching attacks against specific, profitable entities manually. Such attacks could use disguised email messages and attachments to compromise a PC or gain login access by running brute-force tools against a business, government or NGO network. Standard security products should be capable of blocking the My Decryptor Ransomware as a threat, although any PC is at risk from manual installs theoretically if the threat actors can compromise a weak login combination.
For now, malware researchers have yet to associate the My Decryptor Ransomware with more well-known families like Hidden Tear, and can't determine whether or not this threat or its variants (such as the Magniber branch) might be open to free decryption solutions. Based on the resources and professionalism already exhibited by this campaign, victims are unlikely to be able to recover their media freely without having backups already preserved in a location that this threat can't scan, such as a detached device. Using anti-malware tools for removing the My Decryptor Ransomware immediately also will prevent any loss of files from encryption.
The erstwhile 'Onion Router,' now TOR, is one of many repeating elements that malware experts expect to keep finding in new campaigns for locking media for money. However, how it's put to use is up to threat actors who, like the My Decryptor Ransomware's authors, may have very different strategies for what systems they plan to attack and how much value they plan to extract in the bargain.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.