SkyFile Ransomware

The SkyFile Ransomware is a Trojan that encrypts thousands of formats of non-essential files, such as Word documents, and creates ransoming messages requesting payments for recovering them. Due to malware researchers rating this threat's data-locking function as not secure, victims of its attacks should check with appropriate cyber-security organizations for the chances of free decryption. Users should also monitor their network security standards for any breaches and use any quality anti-malware program for removing the SkyFile Ransomware safely.

The Trojan Weather in a Russian Sky

An unaffiliated file-locking Trojan with a Russian developer is materializing in the first week of April. The SkyFile Ransomware isn't related to the Globe Ransomware, Hidden Tear, or other families that malware researchers are examining continuously, but uses a 'light' encryption method that's most similar to Hidden Tear's, regarding security. While its file-locking methodology is imperfect, the SkyFile Ransomware has other features for supplementing it.

The SkyFile Ransomware's file-locking routine targets an extensive range of files (seven thousand), instead of the whitelist consisting of a handful of document and image formats that most file-locker Trojans use. Debugging information in current builds of the SkyFile Ransomware indicates the Trojan's Russian development team, but any victims of live attacks should expect seeing no symptoms until their files stop opening.

The SkyFile Ransomware also has a feature that enables the compromising of LANs, which exploits the EternalBlue vulnerability (which also is of note in the campaigns of the Retefe banking Trojan and the WannaCryptor Ransomware). Threat actors may use this SMB-based attack for locking the media of additional PCs that the SkyFile Ransomware accesses over any local networks.

A Skyline with Fewer Ransoms in It

The SkyFile Ransomware uses a text message for giving its victim two ID numbers, associated with the ransoming transactions, as well as a separate executable for its premium decryptor. The decryption application pretends to have an affiliation with the Citadel Trojan (a variant of the sophisticated spyware program, Keylogger Zeus). However, malware experts stress that the SkyFile Ransomware is independent, and includes no noteworthy data-collecting or exfiltration features.

Since the SkyFile Ransomware's campaign is still in a debugging stage, its infection vectors upon its admins' deploying it may vary significantly. Malware experts recommend watching for any or all of the following:

• Con artists may introduce the SkyFile Ransomware to a network over e-mail, with embedded links or attachments.
• The SkyFile Ransomware may infect new PCs after a Web browser loads a corrupted website that launches (undetectable or with misinformed consent) drive-by-download attacks.
• Some threat actors also prefer compromising specific networks with weak passwords manually by attacking them with a brute-force tool.

Although the SkyFile Ransomware is Russian-developed, its ransoming components all imply the targeting of English speakers predominantly. Users with concerns about protecting their files may back them up to a device that this threat can't infect or gamble with the chances of free decryption for the SkyFile Ransomware being available soon. Dedicated anti-malware programs also may remove the SkyFile Ransomware as a threat.

The server-based nature of the SkyFile Ransomware means that it could access, and lock, large quantities of files without needing to compromise more than a small number of PCs. Those who don't pay any care to how they handle their network security often, with threats like this one, come to regret it later.