$$$ Ransomware

The $$$ Ransomware is a file-locker Trojan that's capable of stopping your documents and similar media from opening. Its campaign is targeting business entities' networks rather than individuals successfully, although any single PC is just as much at risk from its encryption. All users should prepare backups for recovering from attacks safely and use proven anti-malware solutions for detecting or uninstalling the $$$ Ransomware.

Trojans with Aims Set on Company Money

Ransomware-as-a-Services like the Scarab Ransomware's family, along with free counterparts like Hidden Tear and EDA2, make up most of the threat landscape for Trojans wielding encryption features. However, their domination isn't exclusive, and, sometimes, independents arise with very similar aims and practices. The $$$ Ransomware is a case of the latter, with at least two victims in the wild – both of them business entities in unidentified sectors.

The $$$ Ransomware is compromising businesses' servers, and current victims, regrettably, erased potential samples of the Trojan's executable before it could receive quarantining for a proper analysis. Nevertheless, the significant symptoms of its payload are verifiable by malware experts. As is traditional, they include extortion and data-blocking behavior, such as:

• Blocking media files with the AES encryption (without implanting file markers, unlike most RaaS families).
• Changing filenames by inserting '$$$' extensions at their ends.
• Creating TXT ransom notes.

The last of these features creates a uniquely-worded, English message that gives the victim an unusually-short ID number, and addresses for speaking with the threat actor. It also offers a vague deadline with warnings of increasing prices for those who don't contact the criminal promptly. The specifics of the ransom amount aren't yet available, but victims should retain caution about this premium 'solution,' which provides criminals with profits without a guarantee of data recovery for the establishment on the other side of the transaction.

Keeping Your Money Away from Money-Minded Trojans

The $$$ Ransomware is a Windows Trojan, but this characteristic does almost nothing for narrowing down its possible targets. Concerning its likely means of propagation, though, malware experts anticipate some exploits far more than others. Criminals running file-locking Trojan campaigns against business or government (or non-government entity) servers, typically, take advantage of well-known psychological and technical shortcomings.

Employees may endanger their server unintentionally by opening e-mail attachments with disguises such as invoices or resumes. Disabling macros and installing security patches will remove most of the vulnerabilities capable of turning such incidents into drive-by-download attacks. Weak passwords and Internet-open remote admin features also are at fault for many infections. However, exploiting these weaknesses calls for slightly more direct intervention on the part of the attacker. Admins should maintain unique passwords for all accounts and doublecheck their values for flaws like publicly-known vendor defaults.

Most file-locking Trojans have few defenses against security software, although some campaigns will terminate processes associated with those programs aggressively. Users running active anti-malware services should delete the $$$ Ransomware on sight appropriately without any further risk to the PC's media.

Just like the SaveTheQueen Ransomware, the Sun Ransomware, or the Russia's Wulfric Ransomware, the $$$ Ransomware offers independent extortion attacks against victims without any risk of a ready-made decryption solution. In light of this ever-present danger, companies should be scheduling their backups with more regularity than ever.