RansomAES Ransomware

Posted: May 9, 2018

RansomAES Ransomware Description

The RansomAES Ransomware is a file-locking Trojan that uses the AES encryption for keeping its victims from opening images, documents, and other media until they pay its ransom. Infections also may modify the extensions in various filenames, create pop-ups, and place extortion-based text messages in different folders. Have your anti-malware programs uninstall the RansomAES Ransomware or block its installation, and use backups for data recovery instead of paying the ransom.

South Korea's New File-Ransoming Problem

Like any populated nation, South Korea often experiences attention from threat actors taking advantage of vulnerable PC users by holding their files hostage. Most of the Trojans centering in such attacks are derivatives of previously-existing ones, such as the Korean AdamLocker Ransomware, variants of the BadRabbit Ransomware family, and the Hidden Tear re-release of the KoreanLocker Ransomware. However, the newest South Korea-targeting Trojan, the RansomAES Ransomware, is an independent threat without a lineage that malware experts are connecting to any of these previous campaigns.

As per its name, the RansomAES Ransomware uses an AES or Rijndael algorithm for enciphering the data of any infected Windows PC by targeting a series of up to forty-one formats of data, including text documents, MP3s, ZIP archives, pictures, and, most significantly, EXE executables. It flags the now-locked files with '.RandomAES' extensions that it inserts after the original extensions (such as 'document.txt.RandomAES').

The RansomAES Ransomware generates an advanced HTML pop-up for displaying its ransoming warning automatically, as well as creates duplicates of the same text in multiple Notepad files. Malware experts are only seeing Korean-language versions of these alerts, which, like the messages of most file-locking Trojans, ask for Bitcoins for restoring the encrypted data. The threat actors are withholding the amount of the ransom until after negotiating, which may be a tactic for extracting as much money from their victims as possible.

Protecting South Korea's Digital Borders

The threat actors behind the RansomAES Ransomware's campaign are unidentified, as are any infection exploits that they may use for installing the Trojan. However, malware experts do confirm that this threat requires .NET Framework support for running. The RansomAES Ransomware also erases the Shadow Copies silently, which is a traditional function of file-locker Trojans for impeding any local backup recoveries. The user's non-local backups, such as any data saved to a cloud server or USB drive, should remain intact.

Exploits that the con artists favor for installing threats of the RansomAES Ransomware's classification include all of the following:

  • Corrupted e-mail attachments may host vulnerabilities, such as macros, for executing code that drops the Trojan automatically or after the user enables them.
  • Compromised websites may run scripts that perform similar, drive-by-download attack routines, often, via JavaScript or Flash.
  • Some con artists prefer targeting particular networks or vulnerable domains with the assistance of brute-force utilities that can break through excessively simple passwords.

Due to this Trojan's absence of symptomatic behavior until after it locks your files, all PC users can protect their media best by having anti-malware software for removing the RansomAES Ransomware or quarantining it immediately.

Like any country with significant computer usage, South Korea is nowhere near safe from con artists subverting unsafe file storage habits for purposes of profit. A simple backup, as well as precautions like disabling scripts and scanning your downloads, are steps that can stand between your files and a loss of untold amounts of money.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to RansomAES Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware RansomAES Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.