Strawhat Ransomware
Posted: September 1, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 74 |
| First Seen: | September 1, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Strawhat Ransomware is a Trojan that claims to lock your files with a 'military-grade' encryption cipher, but the latest builds of this threat will modify only their names. Backing up your work to another system or drive that's not at risk of infection can prevent an updated version of the Strawhat Ransomware from causing any potential damage. You also can protect individual PCs by installing anti-malware products for removing the Strawhat Ransomware as soon as they detect it.
A Surprise Bill that might Cost You Your Files
German speakers are at risk for a new type of 'file-locking' campaign: one that carries the threat of encryption without the function. The Trojan's author is distributing the self-dubbed Strawhat Ransomware via fake PDFs naming it as a bill for non-specific services. However, the Trojan's payload limits itself to changing the names of the supposedly encrypted files while also providing all the ransom-themed demands necessary to confuse the PC's user.
The Strawhat Ransomware requires a VisualBasic PowerPacks component to run and will crash, without completing its attacks, on systems lacking this file. If it can run successfully, the Strawhat Ransomware generates semi-random characters that it appends, as new extensions, onto the names of the files that it misrepresents as being encrypted. No real encryption or data-corrupting features are present in the Strawhat Ransomware, for now, although its threat actor may plan to add them later.
Malware experts also find the Strawhat Ransomware dropping a ransom note that, in most characteristics, resembles those of an actual, file-locking Trojan's campaign. The Strawhat Ransomware claims to use 'military grade' encryption, generates an ID for the victim's use, and asks for Bitcoins before sending you a decryption code. Readers should remember that Bitcoins require consent from both parties for refunding, which means that paying the Strawhat Ransomware's ransom is unlikely to result in anything other than losing money without recourse.
Knocking Over a Trojan Made of Straw
In its present state, the Strawhat Ransomware is a danger to PC users who believe its ransoming instructions without testing their files to ascertain their validity predominantly. Renaming your media to remove any unwanted extensions should resolve any issues with your content refusing to open. Examples of formats malware analysts see the Strawhat Ransomware target with its fake encryption include movies (MKV or MOV), Microsoft Office work output (XLSM or PPTM), and various databases (SQL, SQLITE3, or CSV).
Internally, the Strawhat Ransomware exhibits many traits of being a product from a less experienced threat actor than those responsible for projects like EDA2 or the Jigsaw Ransomware. The Strawhat Ransomware uses inefficient file-filtering methods, a potentially buggy format of ransoming window that may be invisible until the user clicks it, and, as noted previously, requires an additional VB component. However, users still should have anti-malware programs to detect and remove the Strawhat Ransomware, rather than trying to identify the Trojan by sight since it uses misleading names intentionally.
Whether a Trojan is simple or complicated, it needs to get access to your PC to commence with further operations. Don't give remote attackers like the Strawhat Ransomware's author a foothold in your files by trusting an 'invoice' that's not from a source you can trust.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.