Resurrection Ransomware
Posted: June 5, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 9 |
First Seen: | June 5, 2017 |
---|---|
OS(es) Affected: | Windows |
The Resurrection Ransomware is a modification of Hidden Tear, a Trojan that was intended to demonstrate threatening file-encrypting code without deploying it into the wild. This threat still has all of Hidden Tear's non-consensual, file-locking attacks in place, and also will display messages to ask for money to unlock your media. Most users should protect themselves by having anti-malware products for removing the Resurrection Ransomware immediately and backups for the most guaranteed recovery of damaged data.
The Trojan that Refuses to Stay Dead
By the expectations of the threat marketplace, Hidden Tear is a family with an unusually long lifespan, thanks to a combination of its availability and ease of use for different threat actors. While separate entrepreneurs, typically, don't bother coordinating their campaigns, most of them will add some form of personal ID onto their 'new' Trojans, such as a brand name. The Resurrection Ransomware is a new variant of Hidden Tear to sport such a label alongside all of the data-locking features that one would expect.
When installed, the Resurrection Ransomware starts searching directories for files that fit its filter, including most Microsoft Office media, pictures, etc. It uses the Hidden Tear's AES-based encoding algorithm to scramble the internal data of these files so that the user can't open them. Its author also is using what malware analysts judge is an abnormal template for changing the names of this content. In addition to a new extension ('.resurrection'), the Trojan inserts semi-random characters between the new extension and the original name.
The other change the Resurrection Ransomware includes in its payload is its custom ransoming Web page. This message auto-plays music misappropriated from the Harry Potter movie's soundtrack while showing custom text with its decryption conditions: nearly four thousand USD in Bitcoins paid to its wallet address within thirty-six hours. The Resurrection Ransomware also threatens to format the victim's computer entirely, which would, in theory, erase both encrypted and non-encrypted content.
Bringing Wounded Files Back to Life
Victims assuming that con artists with access to their PCs have no reasons to lie to them could find themselves making ransom payments extremely high, through non-refundable channels, for no reason. Any files that the Resurrection Ransomware locks are decryptable by the same decoding tools proven compatible with the old versions of Hidden Tear. Similarly, malware experts can confirm no extra features inserted in the Resurrection Ransomware that would let it reformat your hard drive or induce any timer-specific attacks.
While paying its ransom is the worst action a victim can take, simple security measures also can be invaluable means of protecting your files from nearly all encryption-based attacks preemptively. Running e-mail attachments through anti-virus scans, refusing to enable a suspicious document macro or browser script, and downloading content only from reputable sources can reduce most contact with infection vectors to nil. Malware experts have yet to confirm this campaign's distribution exploits, but removing the Resurrection Ransomware should require no more advanced software than any anti-malware program with a good record against Hidden Tear's family.
The expense of the Resurrection Ransomware's ransom and its associated threats are relatively plain-to-see bluffs. Only when victims start seeing through these tactics in large numbers will we start seeing fewer attempts at recycling Hidden Tear and its kindred.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 228.86 KB (228864 bytes)
MD5: 898b9d28cfd2ab0e8de2d34c8273078b
Detection count: 79
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 6, 2017
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.