Revenge Ransomware
Posted: March 16, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 18 |
| First Seen: | March 16, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Revenge Ransomware is a new version of the CryptMix Ransomware or CryptoMix, a Trojan with file-encryptor features that can lock your data. It also can launch fake security alerts, modify the core Windows settings, delete local backups and create Notepad messages for ransoming the decryptor. Decryption solutions may not be available without the high uncertainty of paying the ransom, and malware experts advise blocking and removing the Revenge Ransomware through persistent anti-malware products.
An Undeserved Revenge for Visiting the Wrong Website
Each month appears set to see new versions of the CryptMix Ransomware, with the Revenge Ransomware taking the place of February's CryptoShield Ransomware. The same infection strategies still are being used to deliver this threat to random PCs: the RIG Exploit Kit, a bundle of vulnerability-assessing scripts that con artists are uploading to various websites. Malware experts emphasize that these sites are third-party owned and hacked, as opposed to designed with ill-minded intent, meaning that even a 'safe' domain, such as one associated with a small business, can install the Revenge Ransomware unintentionally.
One significant change is verifiable in the Revenge Ransomware's payload, in contrast to the old attacks: it targets almost three times as many formats of files (over one thousand, instead of the four hundred of the CryptMix Ransomware). The Trojan also disables some memory processes to allow itself greater access to as many types of data as possible, without being blocked by any 'in use' software. Vulnerable content is encoded with an AES-256 cipher, has its name encrypted, as well, and is forced to use the '.REVENGE' extension.
The Revenge Ransomware's final action is to display a text message in various languages, including English, Korean, and Italian, for collecting ransom money. It asks the victim to contact the threat actor via e-mail with the custom-generated ID number to acquire further details on the payment method and quantity. Since malware researchers are unable to find any significant encryption vulnerabilities in the Revenge Ransomware's payload, victims without backups may have no other data recovery options.
Trusting Fake Windows Utilities for Quick Shortcuts to Ransoming Attacks
The Revenge Ransomware requires administrative access that the victim must grant consent to, which the Trojan circumvents via a simple Windows security tactic. The Revenge Ransomware disguises the UAC request by mislabeling itself as being a Windows component and precedes the prompt with a fake failed update to the Windows Defender's database. When the victim clicks 'yes' to allow the system changes to take place, the Revenge Ransomware accomplishes the rest of its payload, including deleting SVC backups, deactivating the startup recovery feature and suppressing reboot errors.
Free decryption tools for the Revenge Ransomware are not available yet. Since the Trojan generates its keys and protects them with RSA encryption dynamically, malware analysts rate a future cracking of its payload as unlikely of appearing. Using backups not saved locally (and therefore not vulnerable to the Revenge Ransomware's attacks) can best help victims recover their data without paying the ransom money. Anti-malware products that can detect other variants of this family also may block and remove the Revenge Ransomware.
All threatening software depends on security mistakes, to some degree. However, when those mistakes are nothing greater than visiting an ordinary website and agreeing to a fake Microsoft prompt, threat actors can enjoy easier extortion-delivering attacks than ever before.
Update December 10th, 2018 — '.SYS File Extension' Ransomware
The '.SYS File Extension' Ransomware is a variant of the CryptoMix or CryptMix Ransomware family, and a part of the 'Revenge' sub-division of that Trojan group. It may lock your files with different procedures for offline or online environments, change their names into semi-random characters, and create notes asking that victims e-mail the threat actor for negotiating a ransom. Keeping backups in other locations will protect your files from non-consensual encryption, and using a proven anti-malware product is ideal for removing the '.SYS File Extension' Ransomware safely.
A Trojan's Never-Ending Cycle of Reveng
The family of file-locker Trojans referenced as either CryptoMix or CryptMix Ransomware popularly is maintaining a visible level of activity over the past few months, including new victims being matters of public as of early December. Malware researchers are estimating that a new version is continuing with the 'Revenge' branch of the family, which carries the threat of multiple encryption methods, not all of which are decryptable readily. The '.SYS File Extension' Ransomware, the latest Trojan of the family that's in the wild, carries with it the potential endangerment of hundreds of media formats.
While the '.SYS File Extension' Ransomware is likely of using spam e-mails, including e-mail-embedded Web links, for its installation exploits, it doesn't require network connectivity for running. If the user doesn't disable the network connection, the '.SYS File Extension' Ransomware contacts a Command & Control server and downloads configuration for a dynamic key for locking and encrypting files. Otherwise, in an offline environment, the '.SYS File Extension' Ransomware uses a preset, static configuration that the victims can crack with a free decryptor application available to the public.
Additional symptoms that malware experts are re-confirming with the '.SYS File Extension' Ransomware with equal prominence in its other family members include:
- The '.SYS File Extension' Ransomware replaces the names of the documents, images, archives, and other, lockable media with semi-random characters and the '.SYS' extension. This feature overwrites all of the pre-existing filenames.
- In addition to the encryption, the '.SYS File Extension' Ransomware inserts family-specific markers into each hostage file.
- As a part of its installation exploits, the '.SYS File Extension' Ransomware may generate fake AV update pop-ups that convince the users into giving the Trojan admin privileges.
- The users, also, may find Notepad messages carrying some basic ransoming instructions and e-mail addresses for negotiating with the threat actors. Victims should be careful about paying ransoms for decryptors since the former may be non-refundable and the latter may not be functional.
Breaking Out of the System of Media Hostage-Taking
Besides the reoccurrence of e-mail-based attacks, malware researchers also connect most versions of the '.SYS File Extension' Ransomware's family to drive-by-downloads from the RIG Exploit Kit, and similar threats. The users can keep their browsers less susceptible to these security issues by updating all of their relevant software. Disabling JavaScript, Java, and Flash by default also should be under serious consideration.
While the CryptMix Ransomware isn't as prolific as Hidden Tear or the Globe Ransomware, it is a notably frequently-exploited family for locking files and extorting money from doing so. Similar threats include, for example, the ironically-named '.BACKUP File Extension' Ransomware, the Exte Ransomware, the MOLE66 Ransomware, the SERVER Cryptomix Ransomware or the Zayka Ransomware. The same threat actors and exploits aren't involved in all of these campaigns necessarily, although professional anti-malware tools should remove the '.SYS File Extension' Ransomware and its relatives preemptively before they attack.
With victims in Linux environments, as well as the usual Windows users, the '.SYS File Extension' Ransomware is conducting a fairly indiscriminate campaign for ransoming files. Readers can remember to back their work up after saving for the best protection that malware experts possibly can recommend against the '.SYS File Extension' Ransomware and its kin.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.