SWP Ransomware

The SWP Ransomware is a file-locking Trojan that's part of Dharma Ransomware's Ransomware-as-a-Service business. The SWP Ransomware disrupts the user's access to documents and other media by encrypting the files and has backup deletion and ransoming features. Users should always have backups somewhere safe for retrieval and keep anti-malware services to remove the SWP Ransomware efficiently.

Pinpointing Part of a Line of Infinite Trojans by Acronym

Dharma Ransomware's Ransomware-as-a-Service has much competition from free options out on the Web, including Hidden Tear, the Xorist Ransomware, or the Void Ransomware. Even so, many threat actors prefer the security and more-professional programming of a RaaS, and new releases of the Dharma Ransomware appear regularly. Malware experts indicate the SWP Ransomware as another show of the endless possibilities of file-locker Trojans' campaigns and name patterns.

The SWP Ransomware's most self-evident danger is its encryption, a feature that uses AES and RSA for locking files. It sabotages most digital media formats, including documents, databases, or images, and will terminate some administrative programs and security features along the way. Most importantly, it also deletes the Windows Restore Points.

The SWP Ransomware's name is from the more-aesthetic extension that it adds onto files' names, with an ID, a bracket-enclosed e-mail, and the '.SWP' string. The 'SWP' portion could refer to numerous entities, from a German think tank to a socialist political party, among others. However, Dharma Ransomware's family doesn't select names with deep meanings relevant to their victims necessarily. Other examples from 2020 include the Dex Ransomware, the LCK Ransomware, the 1dec Ransomware, or the Zimba Ransomware.

Victims can find another abbreviation of unknown meaning in the SWP Ransomware's ransom note, a copy-and-paste HTA pop-up with updated e-mails. Like the extension, the SWP Ransomware's 'EUSA' e-mail address might refer to various organizations worldwide. Malware analysts stress that most Windows PCs are vulnerable to SWP Ransomware infections and the associated file-blocking attacks. The program lacks the language-filtering self-destruct options of some threats, like variants of the Scarab Ransomware.

The Simpler Way of Cutting Infinity Short

No users should depend on local or default Windows backups strictly as their only data recovery option after an emergency. Even a paid ransom to a RaaS 'business' doesn't guarantee that the threat actor will abide by any obligation of servicing the victims with their file-unlocking help. Well-updated backups on separate storage devices or servers will offer the most comprehensive and dependable solution to an attack by the SWP Ransomware or the rest of the Dharma Ransomware collective.

Although the SWP Ransomware is a new entrant into its group of Trojans, its campaign isn't showing its hand concerning how it's infecting victims – or finding them in the first place. Users browsing the Web should consider turning off features like Flash and JavaScript, which put them at risk of drive-by-download exploits. Admins should check credentials for weaknesses that could lead to brute-force breaches. E-mails also should be looked upon carefully for their potential for abuse by corrupted, disguised documents and similar tactics.

Besides the above, a fortunate limitation of this Ransomware-as-a-Service is the lack of effort in obfuscation or proactively-disabling meaningful security utilities. Anti-malware services should detect and remove the SWP Ransomware immediately after any intrusion.

An attack from the SWP Ransomware might have political motivations behind it, but the fallout to poorly-preserved media is threatening to users globally. Anyone on Windows who's also on the Web should reconsider their data recovery options periodically or risk being taken advantage of by the SWP Ransomware and reheated leftovers like it.