RedEye Ransomware

The RedEye Ransomware is an update of the Annabelle Ransomware, an FTSCoder Trojan that uses a combination of file-locking and Windows-disabling attacks for disrupting your computer. Some versions of the RedEye Ransomware may overwrite your media with junk data instead of encrypting it, and the victims should disregard its ransoming demands for a decryption solution. Your anti-malware products can remove the RedEye Ransomware securely, although a quick response may be necessary for eliminating this threat before it causes any permanent damage.

The Annabelle Ransomware Gets a Little Red in the Eyes

The threat actor iCoreX, claiming responsibility for the file-wiping Jigsaw Ransomware and the reboot-hijacking Annabelle Ransomware, now, is supposedly updating the latter's campaign with a new Trojan. The Annabelle Ransomware variant, the RedEye Ransomware, includes extra features for subverting the user's control over the Windows environment and harming your files in general. It also keeps all of the previous attacks of note from the first build, and, as a result, malware experts are classifying it as an equally high-level threat.

Thanks to the inclusion of several WAV audio files that it incorporates into its ransoming features, the RedEye Ransomware has an unusually large installation file of over thirty megabytes. Several code obfuscation techniques, such as the ConfuserEx anti-debugging freeware, could keep outdated security solutions from identifying it accurately. The RedEye Ransomware hijacks the Windows Userinit configuration for loading its ransoming message, which it shows after 'locking' your documents, pictures and other media. However, malware experts are verifying that the RedEye Ransomware may only be overwriting the contents of these files permanently instead of locking them with theoretically reversible, AES encryption, as per the claim of its pop-up.

One upgrade of the RedEye Ransomware of particular note is its ability for hiding drive displays in the Windows Explorer, which can keep a victim from regaining control over the OS. The RedEye Ransomware also disables your access to high-priority applications, such as the Task Manager, your Web browser and the Registry Editor. Malware researchers also encourage monitoring the timer on the RedEye Ransomware's ransom pop-up closely; the expiration of this limit triggers the corruption of the Windows MBR, which prevents the operating system from loading.

Getting the Glare of Red Out of Your Sight

Unlike a real, file-locker Trojan, such as the widely-distributed Globe Ransomware, the RedEye Ransomware can cause a degree of data loss that's not reversible, even for those who do pay its Bitcoin ransom. While its size makes it unlikely for being distributed by spam e-mails, Trojan downloaders, and similar threats may attach themselves to such messages and run the executable, themselves. Other infection strategies malware experts see activity in this year include compromised torrents, exploit kits, and combinations of brute-force and RDP network attacks.

Prompt response timing is necessary for keeping this Trojan from causing additional damage to Windows, over time especially. Always reboot your PC immediately after suspecting a possible the RedEye Ransomware infection, and use Safe Mode or an emergency recovery loader for keeping the threat's processes from launching. A non-compromised backup is, as usual, the only method of restoring your files that malware experts can verify as being reliable. Have a dedicated anti-malware product uninstall the RedEye Ransomware if required; so far, one out of every three AV brands are identifying this Trojan (in many cases, as a variant of Graftor).

The RedEye Ransomware gives an unmistakable hint about what's even worse than a disk-wiper like Shamoon or a file-locker Trojan like Hidden Tear. When Trojans are committing permanent attacks and selling fake cures for them, they're an incredibly strong incentive for taking the trouble to back up anything of importance to you.