Home Malware Programs Ransomware Npsg Ransomware

Npsg Ransomware

Posted: January 30, 2020

The Npsg Ransomware is a file-locking Trojan from the STOP Ransomware family. It can block media by encrypting it and holds the files hostage until the victim pays a ransom. Backups are the only guaranteed way of recovering any of this locked content. However, nearly all anti-malware products should block or delete the Npsg Ransomware from any at-risk Windows machine.

The Irony of the STOP Ransomware Family Continues Apace

The STOP Ransomware, despite its name, is one of the most rapidly-growing families of file-locking Trojans based off of the Ransomware-as-a-Service model, just like the Globe Ransomware, the Scarab Ransomware or the Dharma Ransomware. Unlike these competing groups, the STOP Ransomware and its many variants offer strict version control and rapidly-rolled-out updates and hit build 0200 with the Topi Ransomware campaign recently. Now, it's already surpassing it with the Npsg Ransomware.

The Npsg Ransomware, out in the wild only days after the Topi Ransomware, is identifiable as a 201 build, although its conventions for attacking victims remain the same as always. It encrypts files using an AES-based routine that targets documents, pictures, and other media formats that are valuable to the victims theoretically – which stops the data from opening in associated applications. The 'Npsg' extension that the Trojan adds remains one of the few behaviors that sets the Npsg Ransomware apart from dozens of relatives, such as the old Neras Ransomware and the Myskle Ransomware or the newer Grod Ransomware.

Attacks by the Npsg Ransomware also may be assisted by the presence of Mimikatz, a third-party spyware program that collects passwords. In most infections, malware experts see this attack streamlining the acquisition of new files for victimizing, as the threat actor accesses the entire network and other devices. However, it's also a possible source of revenue - databases of collected login credentials are premium commodities on the Dark Web.

Dancing around a Trojan's Points of Attack

Whatever other features they might boast, new versions of the STOP Ransomware aren't likely to break new ground in their distribution exploits. Some common infection vectors that malware experts recommend preparing against include:

  • E-mail attachments are prominent means of compromising business and government networks and can abuse software vulnerabilities (which usually are patchable) or macros (which are typically inactive by default).
  • The Npsg Ransomware's family is one of the few that also makes noteworthy use of torrents; the Trojan might pretend that it's media, such as a recently-released movie or bundle itself with a software installer.
  • Threat actors also take advantage of preexisting vulnerabilities for gaining remote access to strangers' systems. These problems often are poorly-chosen passwords, a publicly-available RDP feature or unpatched server software.

Since the Npsg Ransomware also deletes default backups on Windows systems, users will need backups on other devices for recovering anything that it locks, in nine cases out of ten. Anti-malware products, while not decryptors, should delete the Npsg Ransomware before any non-consensual encrypting of data begins.

The Npsg Ransomware might be the newest model rolling off of the STOP Ransomware assembly line, but it's as much of a danger to documents and other work as the hundreds that came before it precisely. Anyone without a backup may find themselves succumbing to a Trojan ransom that, sadly, isn't nearly as cheap as maintaining a Ransomware-as-a-Service business.

Loading...