Resurrection Ransomware

The Resurrection Ransomware is a modification of Hidden Tear, a Trojan that was intended to demonstrate threatening file-encrypting code without deploying it into the wild. This threat still has all of Hidden Tear's non-consensual, file-locking attacks in place, and also will display messages to ask for money to unlock your media. Most users should protect themselves by having anti-malware products for removing the Resurrection Ransomware immediately and backups for the most guaranteed recovery of damaged data.

The Trojan that Refuses to Stay Dead

By the expectations of the threat marketplace, Hidden Tear is a family with an unusually long lifespan, thanks to a combination of its availability and ease of use for different threat actors. While separate entrepreneurs, typically, don't bother coordinating their campaigns, most of them will add some form of personal ID onto their 'new' Trojans, such as a brand name. The Resurrection Ransomware is a new variant of Hidden Tear to sport such a label alongside all of the data-locking features that one would expect.

When installed, the Resurrection Ransomware starts searching directories for files that fit its filter, including most Microsoft Office media, pictures, etc. It uses the Hidden Tear's AES-based encoding algorithm to scramble the internal data of these files so that the user can't open them. Its author also is using what malware analysts judge is an abnormal template for changing the names of this content. In addition to a new extension ('.resurrection'), the Trojan inserts semi-random characters between the new extension and the original name.

The other change the Resurrection Ransomware includes in its payload is its custom ransoming Web page. This message auto-plays music misappropriated from the Harry Potter movie's soundtrack while showing custom text with its decryption conditions: nearly four thousand USD in Bitcoins paid to its wallet address within thirty-six hours. The Resurrection Ransomware also threatens to format the victim's computer entirely, which would, in theory, erase both encrypted and non-encrypted content.

Bringing Wounded Files Back to Life

Victims assuming that con artists with access to their PCs have no reasons to lie to them could find themselves making ransom payments extremely high, through non-refundable channels, for no reason. Any files that the Resurrection Ransomware locks are decryptable by the same decoding tools proven compatible with the old versions of Hidden Tear. Similarly, malware experts can confirm no extra features inserted in the Resurrection Ransomware that would let it reformat your hard drive or induce any timer-specific attacks.

While paying its ransom is the worst action a victim can take, simple security measures also can be invaluable means of protecting your files from nearly all encryption-based attacks preemptively. Running e-mail attachments through anti-virus scans, refusing to enable a suspicious document macro or browser script, and downloading content only from reputable sources can reduce most contact with infection vectors to nil. Malware experts have yet to confirm this campaign's distribution exploits, but removing the Resurrection Ransomware should require no more advanced software than any anti-malware program with a good record against Hidden Tear's family.

The expense of the Resurrection Ransomware's ransom and its associated threats are relatively plain-to-see bluffs. Only when victims start seeing through these tactics in large numbers will we start seeing fewer attempts at recycling Hidden Tear and its kindred.

Technical Details