Home Malware Programs Ransomware Sglh Ransomware

Sglh Ransomware

Posted: November 19, 2020

The Sglh Ransomware is a file-locking Trojan that attacks digital media, such as documents, and prevents them from opening. As part of the STOP Ransomware's family, it also includes symptoms such as changing extensions and hijacking the user's Web-browsing settings. Most PC security products should flag this threat and remove the Sglh Ransomware on sight, and backups can assist with data recovery.

More Predictable Payloads from Randomly-Named Trojans

The STOP Ransomware family, whose campaigns tend towards differentiating themselves through a set of four, randomly-generated characters, holds a steady course concerning its level of activity against possible victims like poorly-protected businesses' networks. New versions like the Sglh Ransomware are equally threatening to users' files at home and hold the potential for destroying documents and other media in vast amounts. While its name is random, there's almost nothing unpredictable about the Sglh Ransomware's features or attacks.

As usual, samples of the Sglh Ransomware's installers carry random names that suggest indirect or attacker-assisted downloads. The Trojan might be circulating through a Trojan dropper-based attack as part of an e-mail attachment phishing lure or through other methods, such as brute-forcing networks' login credentials. The Trojan targets Windows systems and includes various features for rendering users helpless before its data-ransoming business model.

Noteworthy features that the Sglh Ransomware shares with other STOP Ransomware members, such as the Agho Ransomware, the NPPH Ransomware, the NPPP Ransomware, or the old Djvu Ransomware, include:

  • Data encryption blocks various media formats of files, such as documents, images, or music. The Sglh Ransomware's family variant of this attack uses AES with an RSA key, the latter of which it may download from a server or default to an internal value.
  • An extension-appending 'signature' on each file's name lets victims identify them on sight as non-opening. As usual, the Sglh Ransomware's extension is a randomly-selected set of characters.
  •  The Sglh Ransomware also deletes the user's local backups or the Restore Points through a command-line option silently.
  • With the files made hostage as per the above, the Sglh Ransomware drops text messages and advanced Web page files with its ransom instructions for recovery. The HTA template is a recognizable element in STOP Ransomware variants and is helpful for identification.
  • The Trojan also may block arbitrary websites by changing their Hosts file entries. Typically, the threat only uses this function to keep users from loading security or recovery-related domains.

Pulling Files Back Out of a Stranger's Profit Margins

The fundamentally for-profit-based STOP Ransomware variants have histories of using differing infection methods, although, usually, the victim is semi-complicit in infections. Users who protect their Windows PCs with strong passwords and security patches, and avoid high-risk behavior like enabling macros in e-mail attachments, are at little risk from the Sglh Ransomware. Current versions of the STOP Ransomware family have no free decryption utilities, which is highly-common among Trojans of this kind. Users never should assume that reversing a file 'lock' is possible.

Criminals don't always abide by agreements where ransoms and decryption services involve themselves. Users with backups on other devices should be capable of safely restoring any lost content without any additional risk from the Sglh Ransomware. However, any attackers may take further actions, such as collecting credentials through spyware.

Fortunately, most PC security products will auto-detect and remove the Sglh Ransomware, like other STOP Ransomware versions, with no significant trouble.

As it acts contrary to its name persistently, the STOP Ransomware releases like the Sglh Ransomware will be ever-present hazards to users who monitor their backup strategies or Web security insufficiently. Since they'll only stop when the ransoms stop coming in, every victim holds some responsibility for this Ransomware-as-a-Service's profits.

Loading...