_readme Ransomware

The _readme Ransomware is a file-locker Trojan that blocks the victim's media files with a dual-layer encryption combination so that they can't open. This threat also creates text ransoming messages for the decryption service and may cause other side effects with negative implications to your PC's security or data integrity. Keep anti-malware products available for removing the _readme Ransomware preemptively and a thorough set of backups for recovering your work without any cost.

A Trojan that Knows Exactly What – and Who – It Wants

A file-locking Trojan of an unknown origin is attacking United States-administrated servers running Windows actively, with the usual plan of encrypting files and waiting for the victims to pay for a decryption service. What makes the _readme Ransomware different from file-locker Trojans like the Globe Ransomware, the Scarab Ransomware or EDA2 is its high degree of cosmetic specialization. Thanks to its threat actor's configuration choices, the _readme Ransomware calls out specific server admins in its symptoms, leading to ample evidence that the Trojan's distribution is far from random.

The _readme Ransomware targets media, such as Word documents, pictures, archives or slideshows, and locks them by using an AES and RSA-based encryption routine. The most notable configuration choice in this attack is the file-locker Trojan's using an RSA-512 algorithm instead of a traditional bit size like 1024, although it remains secure reasonably. What it does to the filenames, however, is more notable: it adds an extension that references the victim's real name (for example, 'generic-document.doc.JohnSmith'). Some files, also, acquire '_readme' strings after the extensions.

Like many attacks that use a high degree of targeting metrics, the _readme Ransomware's campaign specializes in encrypting the data of server administrators. After locking the files on the server, the _readme Ransomware creates what malware experts rate as being slightly abnormal ransom notes embedded into Excel spreadsheets that ask for money in an unspecified currency. Like most media-based ransoming negotiations, the conditions rely on 'customer' IDs and free e-mail addresses.

Stopping Names from Becoming Fixtures of Digital Hostage Crises

Nearly all server-based encryption attacks begin through one of two infection vectors that malware researchers observe repeating throughout different families of file-locking Trojans, but, especially, for entities in the Ransomware-as-a-Service (or RaaS) industry. Remote attackers may break past login credentials for servers directly by using brute-force utilities, enable RDP features for gaining additional control and install the file-locking Trojan. Otherwise, some victims may acquire the _readme Ransomware infections after opening corrupted e-mail attachments, which, ordinarily, will include content that's customized for the individual target and disguise itself as being a document.

Most anti-malware products have various means of identifying Trojan droppers and vulnerabilities that help install threats like the _readme Ransomware. Server admins and employees, additionally, should avoid enabling unsafe content, such as Word macros, while they're interacting with documents that have any potential for being unsafe. Using complex passwords can reduce a brute-force attack efficacy, and most anti-malware technology should have no issues with removing the _readme Ransomware or other threats that share its category.

Thanks to its specificity, the _readme Ransomware's campaign isn't much of a danger to the average, random Windows users. However, malware researchers find it ominous that at least one criminal is going so in-depth with victim-targeting methods, which could pose more problems for businesses, governments and NGOs.