Nuke Ransomware
Posted: September 30, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 180 |
| First Seen: | September 30, 2016 |
|---|---|
| Last Seen: | May 2, 2022 |
| OS(es) Affected: | Windows |
The Nuke Ransomware is a Trojan that uses dual AES-RSA encryption to lock your files while it asks for ransom payments with its desktop images and pop-ups. Although some aspects of the Nuke Ransomware seem to be derivatives of other, similar threat campaigns, malware analysts can't confirm any relatives of this threat or the possibility of decrypting your files freely. Concerned PC owners can protect their machines with anti-malware products that remove the Nuke Ransomware before it can attack, and their data by creating backups in safe locations.
The Nuke Ransomware: A Brush with the Atomic Destruction of Everything You've Saved
Extorting money for black market businesses isn't necessarily simple, and different threat campaigns may use different tactics for forcing their victims' hands. The Nuke Ransomware is a late September-dated threat that shows many of the subtleties of harvesting ransom money after attacking arbitrary PCs. While its targets and distribution method are under analysis, malware experts often connect Trojans like the Nuke Ransomware to e-mail-based vulnerabilities.
The Nuke Ransomware uses the AES and RSA encryption algorithms of unconfirmed bit counts for modifying your file data, blocking such content as documents, images, audio and spreadsheets. In a noted difference from other campaigns, the Nuke Ransomware also renames the files completely, replacing the original names with a string of random characters and the preset '.0x5bm' extension. The Nuke Ransomware stores the original name at the end of the encrypted file's internal data.
Malware researchers saw the Nuke Ransomware using three types of ransom notes simultaneously for extorting money in return for a decryption software download that supposedly will restore the above files. These instructions include text content, HTML pop-ups and images, the latter of which the Nuke Ransomware sets as the PC's default wallpaper. Each set of instructions includes several social engineering techniques for persuading the victim, including a specific time limit for taking payments, free trials of decryption features, and warnings about the consequences of not following the recommendations.
Waving an Olive Branch in a War of Files Against Files
The Nuke Ransomware offers explicit, well thought out instructions on how a victim might pay within a four-day period to get their content decrypted. However, it doesn't mention the history of illicit decryption tools regarding their tendencies to corrupt data, be redundant due to the lack of sufficient key protection, or, in some cases, be useless (since not all Trojan admins save their campaign's decryption keys). Paying a ransom to get your files back is a solution malware discourage until you can rule out all other options as being viable.
Based on the evidence to date, malware experts can find no links between the Nuke Ransomware and other, known threats, such as the Crysis Ransomware family. Until the PC security industry can develop a decryption program for the Nuke Ransomware, PC owners can protect themselves by keeping backups of their data in protected locations, giving them recovery options that don't need decrypting. Local backups, such as those saved by the Windows VSS feature, shouldn't be relied upon, as being frequent targets for being deleted.
Traditionally, anti-malware products don't bundle file-decrypting features in their feature sets. However, they can detect, block or remove the Nuke Ransomware before it can begin encoding your content. Protecting your computer with appropriate security software and limiting unsafe behavior, such as launching strange e-mail attachments, will, likewise, restrict the radius of a digital bomb like the Nuke Ransomware.
Technical Details
Registry Modifications
File name without path!!_RECOVERY_instructions_!!.html!!_RECOVERY_instructions_!!.txtHKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\Run\nuke_html