Seon Ransomware

The Seon Ransomware is a file-locking Trojan whose campaign targets South Korea currently. Its attacks are capable of keeping your documents, pictures, spreadsheets, and other media from opening by encrypting their data with an AES algorithm. You always should back your work up to other devices for their long-term safety, along with having reliable anti-malware products available for containing and deleting the Seon Ransomware as you encounter it.

A Family Name Gets Misappropriated for Crime

A file-locking Trojan with an unknown family is starting up a series of data-blocking and ransoming attacks, similarly to the campaigns of the Scarab Ransomware, the Crysis Ransomware, or Hidden Tear's offspring. Early indications place the threat as operating inside of South Korea, although malware experts aren't finalizing this estimate, due to a lack of victims and samples. The Seon Ransomware is, like most of the other Trojans that it competes with, taking data hostage for getting Bitcoins from its victims.

The Seon Ransomware uses the AES encryption for blocking Excel spreadsheets, Word documents, JPG or BMP pictures, and other media formats in different folders on your computer. The only definite victims of these attacks, for now, are South Korean, with the installation exploits the campaign is using uncertain. In previous attacks by other file-locker Trojans, malware researchers connect the infections to opening corrupted e-mail attachments, leaving RDP or firewall settings unsecured, or using logins that are weak enough that they can be brute-forced.

The Seon Ransomware drops an English but, most likely, machine-translated message on the PC, along with locking your media and giving them '.FIXT' extensions. The instructions, while typical in their promotion of the criminal's Bitcoin-purchased decryptor, do identify the Trojan by name. Due to Seon being a notable family surname in South Korea, the threat is probably in distribution through strategies that are only for victims in that area. However, most file-locker Trojans don't have self-terminating functions for when they could lock the files of PCs in other, unexpected countries incidentally.

Safeguarding Korean Media from More Ransoms

Although the Seon Ransomware isn't the only file-locker Trojan whose campaign is live in South Korea (others include the PTP Ransomware, the RansomUserLocker Ransomware, and the AdamLocker Ransomware), most of its payload requires additional analysis. Malware experts have yet to rule out the Seon Ransomware's being from a RaaS family, but most Trojans of its classification in this region are updates of the free Hidden Tear software. Regardless of its ancestry, backups are your files' best defense against the Seon Ransomware, until or unless a free decryptor's creation is possible.

Some security solutions are detecting the Seon Ransomware as being a new version of the GoldenEye Ransomware. While malware experts can't verify this possibility, the Trojans of this family have past ties to spam e-mails as a favorite infection vector. Other risks for infection include remote attackers taking over PCs through Remote Desktop features or brute-forcing a vulnerable login's credentials. Any anti-malware products can, at best, delete the Seon Ransomware safely, but not unlock any files.

Saving your files to a non-local drive isn't time-consuming or expensive, but neglecting it can cost hundreds of dollars in cryptocurrency. No area of the world is clear of file-locker Trojans, as long as the motivating circumstances are there, as the Seon Ransomware shows.

Update Janury 3rd, 2019 — Seon Ransomware ver 0.1

The Seon Ransomware ver 0.1 is a file-encryption Trojan, whose aim is to encrypt files and make it impossible for the victims to access their contents. All the files encrypted by the Seon Ransomware ver 0.1 will have their names changed to include the ‘.FIXT’ extension. Removing the newly added extension will not make the files accessible again, and the only way to do this is to use an appropriate decryption tool paired with the unique decryption key generated for each separate victim. It appears that the authors of the Seon Ransomware ver 0.1 might be experimenting with different ransomware versions since malware researchers have identified another file-locker, which appears to be called ‘Seon Ransomware ver 0.2.’ The second version does not feature any major improvements regarding functionality, but it also uses a ‘.hta’ ransom note that includes additional email addresses for contact.

There is no accurate information regarding the methods used to propagate the Seon Ransomware ver 0.1 so that the best way to keep your computer protected would be to use a trustworthy and up-to-date anti-virus application. In addition to this security measure, the users also are advised to create backup copies of their important files and digital projects so that they would be able to use them in case the original files get encrypted or wiped by a cyberthreat.

When the Seon Ransomware ver 0.1 executes its attack, it will leave behind the file ‘YOUR_FILES_ARE_ENCRYPTED.txt,’ which includes a detailed ransom note that displays several e-mails for contact - kleomicro@gmail.com, kleomicro@dicksinhisan.us, nlandolforizzo2@gmail.com, landolforizzo@tiwno.gf and landolfrizzo@mailfence.com. The attackers do not specify the amount of money they want in exchange for the decryption of the victim’s files, but you can rest assured that the cost will not be small – ransomware authors often demand hundreds of dollars for their services.

If your computer has fallen victim to the attack of the Seon Ransomware ver 0.1, then we suggest that you disregard the instructions of the attackers, because it is unlikely that anything good will come out from working with cybercriminals. Instead, the victims of the Seon Ransomware ver 0.1 should use a trustworthy anti-virus program to dispose of the threat and then look into alternative data recovery techniques immediately.