Home Malware Programs Ransomware Parisher Ransomware

Parisher Ransomware

Posted: October 19, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 21
First Seen: October 19, 2016
OS(es) Affected: Windows


The Parisher Ransomware is a file encrypting Trojan that holds your data hostage while awaiting ransom payments. There are no known decryption options for this threat, and scheduling a regular backup can provide the most direct route for saving any encoded content. In ideal situations, your anti-malware programs should remove the Parisher Ransomware before the Trojan can encode any content.

Trojans Dangling Decryptors Through E-mail

The lifespan of an online messaging account its holder uses for ill-minded acts often is a brief one, requiring con artists to jump to new addresses and account names semi-regularly. While some threat authors prefer investing in anonymity services that work around this problem, others, like the threat actors for the Parisher Ransomware, keep multiple accounts available. The redundancy in options helps the Parisher Ransomware's administrators hold the lines of communication for extortion open as long as possible, potentially giving their victims more time to submit.

The Parisher Ransomware generates its 'income' through what is, for 2016, the standard practice of forcibly encrypting your data. Malware experts found current variants of the Parisher Ransomware as being more selective than most Trojans of this classification, and can only corroborate the Trojan's attacking databases, spreadsheets, and text documents, such as DOC and XLS. Other content, such as JPG images, appears to be unaffected.

Since the Parisher Ransomware doesn't make any name-based changes to the encoded content, the clearest symptom of the infection is an inability to open the files afterward. The Parisher Ransomware also generates a file ('1NFORMAT1ONFOR.YOU') that relays instructions on contacting one of four e-mail addresses for decryption help, leaving out any mention of a ransom fee. A second file ('ENCRYPT1ON.KEY123') holds the critical key for decoding the encryption algorithm.

Avoiding the the Parisher Ransomware's Punishment for Poor PC Protection

Any content encoded by the Parisher Ransomware is identifiable by its inclusion in a log that the Parisher Ransomware drops in the Windows directory. In scenarios where essential data is at risk, malware experts still discourage paying the Parisher Ransomware's administrators, who may not reply with any decryption help. Backing up that content on a daily basis, to removable drives or cloud servers ideally, provides options for restoring data that don't hinge on a single, original copy.

The Parisher Ransomware's payload format most strongly resembles variants of the Mobef Ransomware family, although malware experts have yet to confirm this possible connection. In either case, the Parisher Ransomware lacks a working, free decryptor, and any data enciphered by this threat may not be recoverable. The Parisher Ransomware campaign seems to target small business servers most closely, which should be protected by anti-malware and network security tools that can catch the Parisher Ransomware before it launches.

Stopping a file encrypting Trojan's infection before it happens is much easier than reversing all the damage that even an unsophisticated threat of this type can cause. With offshoots like the Parisher Ransomware, good network maintenance remains at least half the key to keeping your information secure.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 162.85 KB (162857 bytes)
MD5: 7d082fdf8f7a306c9a4fa65d73453f43
Detection count: 41
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 19, 2016
Loading...