RansomAES Ransomware

The RansomAES Ransomware is a file-locking Trojan that uses the AES encryption for keeping its victims from opening images, documents, and other media until they pay its ransom. Infections also may modify the extensions in various filenames, create pop-ups, and place extortion-based text messages in different folders. Have your anti-malware programs uninstall the RansomAES Ransomware or block its installation, and use backups for data recovery instead of paying the ransom.

South Korea's New File-Ransoming Problem

Like any populated nation, South Korea often experiences attention from threat actors taking advantage of vulnerable PC users by holding their files hostage. Most of the Trojans centering in such attacks are derivatives of previously-existing ones, such as the Korean AdamLocker Ransomware, variants of the BadRabbit Ransomware family, and the Hidden Tear re-release of the KoreanLocker Ransomware. However, the newest South Korea-targeting Trojan, the RansomAES Ransomware, is an independent threat without a lineage that malware experts are connecting to any of these previous campaigns.

As per its name, the RansomAES Ransomware uses an AES or Rijndael algorithm for enciphering the data of any infected Windows PC by targeting a series of up to forty-one formats of data, including text documents, MP3s, ZIP archives, pictures, and, most significantly, EXE executables. It flags the now-locked files with '.RandomAES' extensions that it inserts after the original extensions (such as 'document.txt.RandomAES').

The RansomAES Ransomware generates an advanced HTML pop-up for displaying its ransoming warning automatically, as well as creates duplicates of the same text in multiple Notepad files. Malware experts are only seeing Korean-language versions of these alerts, which, like the messages of most file-locking Trojans, ask for Bitcoins for restoring the encrypted data. The threat actors are withholding the amount of the ransom until after negotiating, which may be a tactic for extracting as much money from their victims as possible.

Protecting South Korea's Digital Borders

The threat actors behind the RansomAES Ransomware's campaign are unidentified, as are any infection exploits that they may use for installing the Trojan. However, malware experts do confirm that this threat requires .NET Framework support for running. The RansomAES Ransomware also erases the Shadow Copies silently, which is a traditional function of file-locker Trojans for impeding any local backup recoveries. The user's non-local backups, such as any data saved to a cloud server or USB drive, should remain intact.

Exploits that the con artists favor for installing threats of the RansomAES Ransomware's classification include all of the following:

• Corrupted e-mail attachments may host vulnerabilities, such as macros, for executing code that drops the Trojan automatically or after the user enables them.
• Compromised websites may run scripts that perform similar, drive-by-download attack routines, often, via JavaScript or Flash.
• Some con artists prefer targeting particular networks or vulnerable domains with the assistance of brute-force utilities that can break through excessively simple passwords.

Due to this Trojan's absence of symptomatic behavior until after it locks your files, all PC users can protect their media best by having anti-malware software for removing the RansomAES Ransomware or quarantining it immediately.

Like any country with significant computer usage, South Korea is nowhere near safe from con artists subverting unsafe file storage habits for purposes of profit. A simple backup, as well as precautions like disabling scripts and scanning your downloads, are steps that can stand between your files and a loss of untold amounts of money.