Home Malware Programs Ransomware Sifreli Ransomware

Sifreli Ransomware

Posted: August 2, 2017

Threat Metric

Threat Level: 8/10
Infected PCs: 2,059
First Seen: August 2, 2017
Last Seen: May 29, 2023
OS(es) Affected: Windows

The Sifreli Ransomware is a Turkey-based Trojan that attacks the files of your PC with an encryption routine meant to block them from opening. Having a backup, especially a remotely stored one, can reduce any possible harm from a Sifreli Ransomware infection, and malware experts recommend against using any con artist-endorsed recovery services. Standard anti-malware products may prevent these attacks by blocking and deleting the Sifreli Ransomware initially or remove it afterward to stop any future data loss.

Seemingly Dead Trojans Rising from Their Graves

Like a fruit fly, a Trojan's campaign often has a brief lifespan before its author replaces it with a 'descendant.' While variants using shared code may continue forwards, it's not common for extremely old Trojans to remain active and intact in the same format, years later. Nevertheless, this does appear to be true of the Sifreli Ransomware, a Turkish Trojan that malware experts date back to 2014.

The Sifreli Ransomware's symptoms solely use Turkish to communicate with any victims and portray a picture of file-ransoming behavior similar to that of Hidden Tear or the Globe Ransomware. The Trojan's installation includes transferring statistics on the attack to a Command & Control server (which is now closed) and creating an ID for the victim to use later. It also searches accessible locations, such as your Downloads folder, for documents and other media to block with encryption.

After running any appropriate data through its encryption cipher and adding '.sifreli' (which translates to 'encrypted') to their names, the Sifreli Ransomware creates a pop-up ransom message. The Turkish text gives the victims the ID, an e-mail address for entering into ransom negotiations for their files, and, most interestingly, claims to have committed spyware-related attacks that have collected 'all the information about your company.' Malware analysts can find no features in the Sifreli Ransomware's payload to imply that this last statement is anything other than a bluff.

Putting the Past Back in Its Rightful Place

The Sifreli Ransomware's surprising age isn't a direct form of protection from the majority of its functions. Although its networking features are non-functional, due to issues with the remote Web infrastructure, the Trojan still displays its pop-ups and enciphers the user's media. Recently renewed distribution of the Sifreli Ransomware also could be an indication that its author or another threat actor plans to update it, although it also may be a matter of happenstance.

Until more details are verifiable, malware experts encourage monitoring infection vectors that are common to Trojans of the same type: email attachments, disguised torrents, fake software updates, and websites using corrupted scripts. The Sifreli Ransomware can damage data on different PCs, regardless of their language settings, and, based on its age, the instructions given in its ransoming message are unlikely to be still accurate. Use professional anti-malware programs for deleting the Sifreli Ransomware in any circumstances, and backups for keeping your media out of an extortion-vulnerable position.

Even though the Trojan industry moves at a fast pace, sometimes, even the oldest programs can turn into new security problems. When that happens, Web surfers may find themselves experiencing hostage situations from the most unexpected of sources, like a patch that turns into a three-year-old Turkish Trojan: the Sifreli Ransomware.