Home Malware Programs Ransomware Termit Ransomware

Termit Ransomware

Posted: November 9, 2020

The Termit Ransomware is a file-locking Trojan that's from the DCRTR Ransomware family. Effects of its attacks include non-opening media files, deleted backups, extra extensions on files' names, and text ransom notes. Users should have other backups for restoring their work and let trusted anti-malware products remove the Termit Ransomware from compromised PCs.

Cyber-Termites Burrowing through What Data They can Find

Another Windows variant of the smaller family of DCRTR Ransomware might be making waves in Norway or merely benefiting from a threat actor located there. The Termit Ransomware is part of a lineage of similar threats in its group, including the castor-troy-restore@protonmail.com Ransomware, the DCRTR-WDM Ransomware, and the COPAN Ransomware – from 2018 to 2019. Unlike most of them, its addresses show a distinct geographical inclination that might be of use in containing its campaign.

The Termit Ransomware is an unremarkable variant of the DCRTR Ransomware family, whose distribution in the wild started with corrupted or compromised Web domains targeting Russian speakers. Its signature function is data encryption, which uses AES, RSA, and SHA algorithms for blocking documents and other media formats. The Termit Ransomware is particular to Windows systems and assumes that its victims are English speakers (or, at least, have access to translators like Google Translate).

Two seemingly-small choices in the Termit Ransomware's campaign reveal Norway as either the threat actor's likely residence or the victim-targeting region for its campaign. The first is some of the e-mail addresses, which translate from Norwegian into 'ashtray.' The second is its name, from its extension, which translates into 'termite' from the same language. However, most Windows computers are at risk from the Termit Ransomware's data-blocking feature.

Malware experts also see a handful of command-line attacks in the Termit Ransomware's payload, including terminating media services, deleting the Shadow Volume Copies, and turning off boot-up warning messages. All of these features are common among file-locker Trojans increasingly and support the payload's data sabotage.

Caution Around Downloads can Serve Anyone's Files

The samples of the Termit Ransomware that are available suggest that the Trojan's campaign depends on victims downloading the Trojan under the mistaken impression that it's legitimate software. File names such as 'mhtop32bit' and 'coco' might trick a user into thinking that it's legitimate while the download loads from a copycat domain or compromised installer. Windows users should be especially careful of downloads that don't come from sites that they know are definitively safe.

Although Norwegian lies in the Termit Ransomware's note and symptoms, the Trojan also specifies English as the language of preference for any negotiations. Alternatives to the ransom aren't available for DCRTR Ransomware variants, besides the always-appropriate chance of users having safe backups on another device. The Restore Points usually see deletion, which malware experts confirm with the Termit Ransomware.

Windows users with compatible security solutions can spot and remove the Termit Ransomware through these tools automatically. Ordinarily, anti-malware applications will contain file-locking Trojans before encryption can trigger – unless a remote attacker deactivates the security.

Even the smallest clues in identifying a Trojan's activity can return dividends. Anyone who benefits from the warnings will, hopefully, have their files locked up tight before the Termit Ransomware does the locking for them.

Related Posts

Loading...