RabboLock Ransomware

Posted: June 20, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	96

First Seen:	June 20, 2017
Last Seen:	July 1, 2020
OS(es) Affected:	Windows

The RabboLock Ransomware is a Trojan that uses Hidden Tear-based encryption attacks for locking your files until you pay a ransom. Although the RabboLock Ransomware's threat actor requests in-game currencies, instead of 'real' money, paying doesn't necessarily have a correlation with getting your data unlocked. Users should back up their files and use anti-malware products to block or uninstall the RabboLock Ransomware, depending on the circumstances.

An Unexpected Bill for Your E-Hotel Stay

By allowing individual features to be sold off separately from each other, the so-called microtransactions are a great source of profit to modern game developers. It's rarer, however, for malware experts to see members of the threatening software sector trying to make use of them. The RabboLock Ransomware is one of the few to attempt it, so far, even though most of its code uses the conventional, data-encoding attacks of Hidden Tear.

The RabboLock Ransomware's threat actors don't appear to be native Dutch speakers, which hasn't stopped them from targeting players of the Rabbo Hotel online socialization platform. After gaining system access through methods malware experts still are determining, the RabboLock Ransomware encrypts content such as documents, pictures, and other media, using an AES cipher. Like most HT variants, the Trojan also appends a custom extension ('R4bb0l0ck') to the names of everything it locks.

The RabboLock Ransomware's more interesting trait is the text ransom message it creates for the victim to read. Instead of a 'traditional' payment for unlocking your media, such as Bitcoins, the RabboLock Ransomware asks you to confer bonuses to his Rabbo Hotel account, including 'staff privileges,' two kinds of currency and rare inventory items.

Keeping Your Gaming Money from Funding Extortionists

Although the RabboLock Ransomware's authors have some remarkable priorities for profiting from their campaign, even in-game currencies like Rabbo Hotel's crowns do cost actual money. Restoring your files through backups always should be considered as preferential to paying con artists and hoping that they honor their word. Malware experts also recommend not depending on the default backups of the Windows OS, since Hidden Tear releases like the RabboLock Ransomware erase such data routinely.

While it's probable that the RabboLock Ransomware's authors are using infection vectors designed to appeal to Rabbo Hotel's player base, malware experts have yet to isolate them. This Trojan could be bundled with related software or mislabeled downloads, or installed through more advanced methods, such as an exploit kit or spam e-mails. However, Hidden Tear has little obfuscation from standard threat-detecting features, and most anti-malware programs should remove the RabboLock Ransomware before it begins encrypting any files.

A threat author's idea of 'fun and games' might not always be so different from those of a law-abiding citizen's, but attacks like the RabboLock Ransomware offload the real cost of that entertainment onto a victim. Keeping games amusing and profitable, but only within the rule of law, is the job of its players, just as much as a duty of the developers.

RabboLock Ransomware

Threat Metric

An Unexpected Bill for Your E-Hotel Stay

Keeping Your Gaming Money from Funding Extortionists

Leave a Reply