Home Malware Programs Ransomware RansomPlus Ransomware

RansomPlus Ransomware

Posted: January 30, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 88
First Seen: January 30, 2017
OS(es) Affected: Windows

The RansomPlus Ransomware is a Trojan that locks your files with an encryption-based cipher and creates a text content asking for payment to decrypt and unlock them. Since the payment method, the RansomPlus Ransomware uses can allow con artists to keep the money without providing any services, PC users should strive to protect their data with backups or other means. Update your anti-malware products and leave them active to enhance the chances of removing the RansomPlus Ransomware without the Trojan attacking your computer.

Adding More File Encryptor Trojans to the Pile

Even though a large part of the market for threatening software makes itself up of for rental products and minor variants on past threats, malware experts see these clones regularly supplemented in numbers by relatively unique or independent projects. The RansomPlus Ransomware is one such Trojan campaign, with no known ancestry linking it to a major Trojan family, but a payload that's fully capable of blocking your files for money. Since its symptoms resemble those of other threats of the same type strongly, the RansomPlus Ransomware could confuse its victims into believing that it's another Trojan easily, therefore complicating the process of recovery.

The RansomPlus Ransomware is a small (207 kilobyte) Windows program that malware experts first saw cases of in the last week of January, using unknown distribution methods. For unprotected PCs running a compatible OS, the RansomPlus Ransomware launches a payload consisting of the following attacks:

  • The RansomPlus Ransomware uses encryption for blocking files such as pictures, documents or audio clips and preventing them from opening. Although the algorithm is not yet identifiable, malware experts estimate that it could be breakable by third parties.
  • The Trojan also uses the '.encrypted' extension for marking any content that it locks for later ransoming purposes, which is a characteristic it shares in kind with such threats as the Dr Jimbo Ransomware and the Smrss32 Ransomware. The Trojan may add the extension after any existing ones or replace the previous ones wholesale.
  • When it finishes, the RansomPlus Ransomware also creates Notepad messages that ask you to pay the equivalent of 230 USD in Bitcoins to get access to the threat actor's file-decryption application. This size of ransom is one that con artists use against small-scale targets ordinarily, such as casual PC users, and could be indicative of the RansomPlus Ransomware's campaign not targeting businesses, NGOs or government systems.

The Hidden Minuses to Paying the RansomPlus Ransomware

It's no accident that Bitcoin is one of the most popular ransoming currencies for file-encrypting Trojans like the RansomPlus Ransomware; the use of that currency guarantees no repercussions to con artists who take the money and fail to offer any associated recovery services. Malware experts also see decryptors failing to function in a proper manner occasionally, with the potential for damaging the locked files permanently. Victims needing a decryption solution should first seek assistance from third party cyber security experts with histories of providing decryptors for Trojans of the RansomPlus Ransomware's classification.

Since the RansomPlus Ransomware uses local files as its leverage for gathering ransoms, PC users who back their files up to secure locations, such as USB thumb drives, can override the appeal of a decryption solution. This Trojan is only newly-identified, and most brands of anti-malware solutions still are adding it to their databases. As long as you update your anti-malware products regularly and scan new files before opening them, standard anti-malware protection should identify this threat behaviorally and delete the RansomPlus Ransomware before any file-locking attacks occur.

Amateurs at Trojan programming are just as capable of causing long-term problems for your PC as ones with more experience in such illicit activities. The proper solution to these threats always includes preemptive protection and abiding by basic Web-browsing safety habits that can stop problems like the RansomPlus Ransomware before they become expensive.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



dir\name.exe File name: name.exe
Size: 211.96 KB (211968 bytes)
MD5: 729871063d04ce837b6b65a57f4a2153
Detection count: 75
File type: Executable File
Mime Type: unknown/exe
Path: dir
Group: Malware file
Last Updated: January 31, 2017
Loading...