Home Malware Programs Ransomware NORD Ransomware

NORD Ransomware

Posted: December 2, 2020

The NORD Ransomware is a file-locking Trojan that attacks the user's digital media files and stops them from opening. As part of the small family of the DarkCrypt Ransomware, it delivers ransom notes in HTA and TXT formats similar to previous members, changes files' extensions, and has no free unlocking solution. Windows users should have backups for protecting any files and let traditional anti-malware utilities delete the NORD Ransomware as they detect it.

Contrary to Name, It's Far More than Just a Nordic Computer Problem

The DarkCrypt Ransomware is a group of file-locker Trojans with far fewer variants than, for instance, the seemingly-endless processions of Djvu Ransomware throughout the world's PCs. However, being tiny isn't a measure of the risk or safety of the attacks it wields: equivalent to most Ransomware-as-a-Service style payloads in terms of blocking computer data. The NORD Ransomware is an update first detectable in late November, with definite similarities to ancestors like H@RM@ Ransomware.

The NORD Ransomware still is a Windows-based threat, requires the .NET Framework, and is quickly downloadable at less than a megabyte. The Trojan uses the family's encryption standard for blocking media files, such as documents, pictures, movies, or databases, by converting them into temporarily non-readable formats. This feature sets up the Trojan's extortion plan for reaping ransoms later.

Other symptoms from the NORD Ransomware's payload include the usual changes to files' names, such as adding extensions with victim IDs and the threat actor's e-mail and delivering pop-up HTA and TXT text format ransom notes. The former's formatting resembles other file-locker Trojan families' templates, such as the often-imitated Crysis Ransomware family. Users have no initial information on the ransom requirement for the criminal's file-unlocking help, a common negotiating tactic in these types of attacks.

However, there is no free decryption service for the NORD Ransomware's family, and users should invest in backups – especially non-local ones – for their data recovery needs.

Procuring an AV Solution from an Entirely Wrong Source

Malware researchers see trends in kind between the NORD Ransomware and the H@RM@ Ransomware that reach beyond the post-infection attacks' scope. The earlier campaign by the older DarkCrypt Ransomware variant used the disguise of a Windows Defender update for its distribution tactic. Similarly, the NORD Ransomware pretends that it's a non-specific antivirus program. Windows users should remember that these themes are archetypal in drive-by-download attacks for delivering Trojans of all kinds. Verifying a downloaded file's domain, double-checking extensions, and scanning files before opening them are beneficial for evading fake updates and installers.

Web surfers can also improve their chances of avoiding exposure to these attacks by curating their website choices. Illegal and 'free' file-sharing websites tend to be hotspots for file-locker Trojans and other threats. More universally, most users may benefit from considerations like turning off JavaScript, Flash, pop-ups, and similar features, and also installing all available updates for their software.

The DarkCrypt Ransomware family is smaller than most of the other encryption-based groups in the threat landscape notably. Even so, most anti-malware tools will detect and delete the NORD Ransomware as a threat without letting any files come to harm.

The NORD Ransomware's moral fable is an easily-understood one: be careful about the identity of a download, and don't trust brand names by default. Without confirming a file's identity before opening it, the consequences can be as dangerous as inviting a masked man into one's home.

Related Posts

Loading...