RanRans Ransomware

Posted: July 10, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	5

First Seen:	July 10, 2017
Last Seen:	April 18, 2018
OS(es) Affected:	Windows

The RanRans Ransomware is a Trojan that blocks you from opening media such as documents, pictures, or spreadsheets by encoding each file. It sells the data-unlocking feature for cryptocurrency payments, although malware experts advise against paying, especially since this threat's payload is buggy. Use backups or free decryption tools for unlocking any content that the Trojan damages, and delete the RanRans Ransomware with any standard anti-malware products.

A New Blossom from a Toxic Spring

While it does have competition, Hidden Tear is most likely still the most widely-abused resource for plundering to create minor variants of Trojans with encryption-based features turned towards extortion. One of the newer clones, the RanRans Ransomware, may be the work of a threat actor whose products go back as far as April, with the BlackRose Ransomware campaign. Both threats use similar brand-advertising strings, but, more significantly, also leverage the Hidden Tear's functionality for locking their victims' data.

As an evident work in progress, the RanRans Ransomware's current samples all crash when launched without encrypting any files. If updated to remove these startup glitches, the RanRans Ransomware could block content including Word documents, Adobe PDFs, JPG pictures, compressed archives, and other formats of commonly used media. Although the RanRans Ransomware doesn't try to encode the entire filename, it does append '.ranrans' extensions onto them, giving it a similarity in symptoms to the BlackRose Ransomware's old attacks.

Most versions of Hidden Tear create Notepad files for negotiating any initial demands with the victims. However, the RanRans Ransomware uses a pop-up method that delivers its requests through a Windows alert. While malware experts saw the RanRans Ransomware's threat actor attempting to use the usual method of Bitcoin payments in exchange for giving up a decryptor, the host sites for all decryption links have pulled the associated content. While the victim still may pay, doing so provides no access to the file-unlocking app.

Keeping the Lifespan of a Poisonous Flower Short

While one might think that a bug-riddled Trojan is less of a problem than a fully-working one, any file-encrypting Trojan, bugged or not, has significant capacity to endanger the files of an infected PC. In some cases, these coding errors even can prevent the recovery of your locked content by mishandling either the original encryption routine or the storage of the key for decoding. With the RanRans Ransomware's family of Hidden Tear, local backups and the Shadow Copies also may be deleted, closing off other routes for data restoration.

Save your backups to non-local cloud servers or detachable devices to remove all possibility of the RanRans Ransomware having access to your media. Since malware experts often see campaigns like the RanRans Ransomware's attacks using e-mail or website-based infection vectors, monitoring your browser security is also beneficial. When active, many anti-malware products can remove the RanRans Ransomware and all other members of the Hidden Tear family without any risk to the data on your PC.

Failing to analyze the risk and reward probabilities of potentially unsafe behavior online is responsible, not just for distributing threats like the RanRans Ransomware, but enabling their profits. Throwing money at a con artist, with no chance for refunds, all too often is nothing more than a way to get poorer in return for nothing.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 219.13 KB (219136 bytes)
MD5: 7774a30be28a49f293bba343f3b3409c
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 13, 2017