TBHRanso Ransomware
Posted: November 28, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 56 |
| First Seen: | February 14, 2022 |
|---|---|
| Last Seen: | February 14, 2022 |
| OS(es) Affected: | Windows |
The TBHRanso Ransomware is a Trojan that uses encryption to lock the infected PC's media. Users can identify file-locking threats in this category by being unable to open the 'locked' files in related software, make changes to their names or extensions, and the appearance of extortion-themed windows or text messages. Have your anti-malware products uninstall the TBHRanso Ransomware as soon as possible before using free means of restoring your work, such as a non-local backup.
A Love Note with a Price Attached
Many, but not all Trojans using file-locking features are identifiable readily through the symptoms they display while attacking digital content and communicating with their victims. One subject of interest to malware experts has yet to reveal tangible evidence of its relationships with any past ones but does endanger the victim's local data without needing any assistance from other threats. The file-locker in question, the TBHRanso Ransomware, uses a secure encryption combination, which gives the victim a high incentive to cooperate with the cybercrook's demands.
The TBHRanso Ransomware uses a (traditional, but challenging to decode) combination of the AES enciphering to lock all of the user's media, after which it obfuscates the AES key with another layer of RSA encryption. This function can block a variety of formats, including Word documents, WinZip archives, music, spreadsheets and databases. The Trojan adds the '.locked' extension onto every file it damages, although this also is a symptom that malware experts find reoccurring in a range of different, often unrelated threats.
The Trojan's payload also includes support for generating a simple, Notepad-based ransom note. This file contains the threat actor's recommendations to the victim for unlocking their data: paying an equivalent of one hundred USD in the Bitcoin cryptocurrency, after which, they may acquire access to the decryption code. The final line also identifies the TBHRanso Ransomware as being a virus, although malware experts can confirm that the Trojan isn't displaying any of the traits common to threatening software, such as inserting its code into other files or programs.
Free Options for Keys to a Trojan's Chains
Since the TBHRanso Ransomware uses a file-locking routine that's more difficult to break than plain AES or XOR-encoding attacks, the development of a free decryption solution isn't likely to appear without a significant breakthrough regarding the campaign's key storage. However, this impediment isn't uncommon with semi-sophisticated threats of the same category and is one reason why malware experts recommend saving backups of your work for restoring later. Keeping your backup media on a removable device or remote server can reduce the chances of the TBHRanso Ransomware deleting or locking it.
The TBHRanso Ransomware campaign's vectors for distribution aren't yet identifiable but have high chances of including forged e-mail messages, piracy-based downloads (such as torrent-delivered gaming cracks) or exploit kits. Some cybercrooks also prefer installing Trojans of this type directly onto a compromised business's server via brute-force attacks that compromise the network's login. Have your anti-malware products eliminate the TBHRanso Ransomware to stop it from damaging any more files, without, if possible, paying the ransom its author requests.
There's little that's new or creative about the TBHRanso Ransomware's feature scope, but it does offer victims an even harder than usual to overcome dilemma for saving their media. As AES and RSA combinations grow in prominence, so, too, does the average users' ability to recover their work after an attack become lower than ever.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.