‘.surprise File Extension’ Ransomware
Posted: March 14, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 91 |
| First Seen: | March 14, 2016 |
|---|---|
| OS(es) Affected: | Windows |
The '.surprise File Extension' Ransomware is a file encryption Trojan that attacks your data in hopes of forcing you to pay a ransom fee. These ransoms have no supporting legal authority or any guarantee that the con artists will provide a solution to their first attacks, and malware researchers don't encourage paying them. Most anti-malware products should be capable of identifying typical file encryptors, and other data recovery strategies can be put into play after you delete the '.surprise File Extension' Ransomware.
A not so Pleasant Surprise for Your File System
Although the new year has brought some surprises for malware researchers, other elements of threat campaigns remain very traditional, based on derivatives of tried-and-true Trojan design. March has seen the emergence of another Trojan based on old file encrypting attacks: the '.surprise File Extension' Ransomware. For the victim, the most noticeable changes are updates to the name of the extensions associated with it, as well as a new ransom instruction, although the '.surprise File Extension' Ransomware's main attacks still are as capable as those of past file encryptors.
The '.surprise File Extension' Ransomware's body, the 'surprise.exe' executable file, uses one form of encryption to block itself from being identified. It includes a corresponding loader that decrypts its base64 string before launching the Trojan. A completed payload lets the '.surprise File Extension' Ransomware use another encryption technique against file data on the compromised PC, simultaneously making the files unreadable while also adding the '.surprise' file extension to their names. Unsurprisingly, this visual change of file format doesn't have any relationship with any real file format conversion.
The '.surprise File Extension' Ransomware finishes its attack by dropping two Notepad files on your hard drive. The texts include instructions for purchasing a decryption service from the fraudsters administering the '.surprise File Extension' Ransomware through Bitcoin (a preferred currency for illicit activities in general, and especially ransomware campaigns). Unlike the campaigns of past file encryptors, malware researchers note that the '.surprise File Extension' Ransomware's con artists are open to haggling, and may ask for a ransom fee ranging from 200 to 10,000 USD in value.
Packing a Surprise Trojan Back in Its Box
Some versions of the '.surprise File Extension' Ransomware may make use of file archives, such as .ZIP bundles, for protecting themselves from detection by various security tools. Nevertheless, malware researchers have found that many, major brands of anti-malware software can identify the '.surprise File Extension' Ransomware, albeit often by heuristic titles, such as Gen:Variant.MSILPerseus.14499 or Gen:Variant.Barys.51812. Installers may distribute themselves through e-mail attachments, corrupted websites or pirated downloads.
If your PC is compromised by the '.surprise File Extension' Ransomware before the threat is detected, act under the assumption that third parties may have backdoor access to your system. Remove the '.surprise File Extension' Ransomware with the anti-malware software of your choosing, and change any passwords that could be used to access your accounts.
Recovering any lost information or files can be attempted after uninstalling the '.surprise File Extension' Ransomware. While paying ransom fees to con artists offers only a slim chance of getting any data restored, malware researchers find that you can achieve better odds against file encryptors by using public domain decryptor tools and sensible backups.