Home Malware Programs Ransomware The Brotherhood Ransomware

The Brotherhood Ransomware

Posted: July 4, 2018

The Brotherhood Ransomware is a variant of Hidden Tear, an open-source demonstration of a file-locking Trojan. The Trojan may block different files according to either their format or their location, although, currently, it targets the Windows Documents folder exclusively. Secure backups and free decryption utilities are two readily available means of restoring any encrypted files, and malware experts recommend uninstalling the Brotherhood Ransomware with an appropriate anti-malware tool immediately after its detection.

A File-Locking Fraternity with an Incredible Price

Hidden Tear is having its code hijacked for an experiment in another file-locking, extortionist campaign, courtesy of a threat actor with the username of Zhihao1987. The variant of Utku Sen's HT project is naming itself the Brotherhood Ransomware through its ransoming message, which asks for an incredibly high price for restoring the user's files. Like other versions of Hidden Tear, malware experts are classifying the Brotherhood Ransomware as an immediate threat to recreational and work-related file formats on any Windows PC.

Like almost every other Hidden Tear clone, the Brotherhood Ransomware uses encryption with an AES algorithm to block different formats of media, with documents, pictures, archives, and audio being examples of some of the highest-risk data types. However, in what malware experts are estimating is a change for testing purposes, this file-locking Trojan also includes a secondary filter that prevents it from encrypting anything outside of a single directory: the default 'Documents' folder. Anything that the Brotherhood Ransomware blocks is visually determinable from the '.ransomcrypt' extension that the Trojan adds (for example: 'picture.bmp.ransomcrypt').

Another sign of its development status is the fact that the Brotherhood Ransomware includes an image for its ransoming message, but places it on the desktop without hijacking the wallpaper or using it as a pop-up. The current message template uses what is almost definitely placeholder information; the Brotherhood Ransomware asks for one hundred Bitcoins (over six hundred thousand USD) for an invalid wallet address.

The Alternative to Throwing Too Many Bitcoins at a Problem

Because the Brotherhood Ransomware is using a hard-coded key for its cryptography, the victims have a likely chance of recovering their files through a decryption solution without paying any ransom. Users can contact experienced cyber-security professionals for assistance with this version of Hidden Tear, or, preferably, recover all of their files from a backup. The Brotherhood Ransomware's family doesn't include any attacks against cloud services or removable drives, and malware experts encourage using these locations for your backup storage purposes.

The Brotherhood Ransomware isn't in a state of public distribution, and no active infection vectors are identifiable for its prospective campaign. Zhihao1987 could use spam e-mails or brute-force attacks for compromising systems with a high likelihood of having valuable files or use undiscriminating exploits, such as circulating the Trojan throughout file-sharing networks. Most anti-malware programs can remove different versions of Hidden Tear and, if active, should delete the Brotherhood Ransomware automatically.

Hidden Tear isn't going to slow down until its victims start refusing the extortionist payment demands of its abusers. The Brotherhood Ransomware, much like the KoreanLocker Ransomware, the FlatChestWare Ransomware, the KratosCrypt Ransomware, and other members of this large family is a demonstration of the ease of misusing encryption.

Loading...