Reha Ransomware

The Reha Ransomware is a file-locking Trojan that can keep media such as documents, pictures or databases from opening. This encryption attack is, generally, irreversible without the threat actor's ransom-based help, which is an inherently risky service. Users can preserve their files more effectively with well-stored backups, and possession of anti-malware software for stopping and removing the Reha Ransomware.

The Trojans that will not 'STOP' Ransoming Your Work

Although file-locking Trojans of other origins are also extant, Ransomware-as-a-Service families are prominent sources of the particularly. Groups with high levels of activity include the Scarab Ransomware, the Globe Ransomware, and the STOP Ransomware, the latter of which has the most rapidly-evolving version iteration. In 2020, the Reha Ransomware is one of the newest of this family, although it follows innumerable others, such as the Hets Ransomware, the Nbes Ransomware, the Peet Ransomware and the older Djvu Ransomware.
The Reha Ransomware belongs to version 0199 of the series of Trojans, which, although it's not the most recent build, is newer than nearly all prior samples. It targets Windows environments, including both coincidentally-compromised users' PCs and business-owned servers, with a series of attacks intended for ransoming money out of the victim. Primary features that all victims are at risk from include:

• The AES and RSA data encryption 'locks' files of ransom-worthy formats like Word documents, spreadsheets or various pictures After stopping the file from opening this way, the Trojan also adds a different extension to the name ('reha,' in this case).
• The Reha Ransomware also can wipe the Restore Points and other, Shadow Volume Copy-related backup information, for preventing the media's recovery.
• Some STOP Ransomware infections also include threat-downloading functionality for collecting passwords and other credentials. The attack could facilitate lateral traversal throughout a network, among other issues.
• The Reha Ransomware creates TXT (Notepad text) ransom notes automatically, which sell the decryption-based unlocking service of the threat actor. Although there is a deadline for getting a 'low' ransom price, the criminals also have no issues with taking the payment without restoring files, in many cases.

A non-localized backup is, ultimately, the safest and most reliable method of recovering any media that the Trojan locks.

Staying a Step Ahead of Fast-Updating Trojans

The STOP Ransomware can compromise users by any means preferable to the threat actor who's hiring the Trojan family. In old campaigns, malware researchers see techniques emphasizing psychological exploitation. Examples include fake software updates on Web advertising networks, pirated software downloads on torrent networks, and falsified e-mail attachments imitating invoices or resumes. Safe Web-browsing behavior, updating software through official sources, and using strong passwords, will cut the risk of the Reha Ransomware infections significantly.

Server administrators also should maintain scrutiny over versions for software related to server infrastructure, particularly, packages with publicly-exposed vulnerabilities. Through means such as Oracle WebLogic's CVE-2017-10271 or Drupal's CVE-2018-7600, attacks can compromise a target without requiring the user's opening a corrupted file. The use of factory-default or otherwise-simple passwords also should be discouraged.

This family's encryption routine is secure, in most attacks, against third-party reversal by a decryption program. Most anti-malware products will wipe out the Reha Ransomware or block installation-related exploits for the Trojan equally easily, however.

The Reha Ransomware's creation is a renewal of an exploitation-based business model that searches for weak targets and takes advantage of bad habits like 'forgetting' a backup. Accordingly, putting a 'STOP' in the STOP Ransomware needs little more than users being more responsible with how they save their work.