The Magic Ransomware
Posted: October 18, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 80 |
First Seen: | October 18, 2017 |
---|---|
OS(es) Affected: | Windows |
The Magic Ransomware is a Trojan that locks your files using a Hidden Tear-based, data-encrypting feature. Although some elements of The Magic Ransomware's configuration remain in development, malware experts still deem it a likely threat to any saved media on the infected PC. Users seeing symptoms of an attack, such as changes to extensions or desktop backgrounds, should have their anti-malware products eliminating The Magic Ransomware before taking any other steps for data recovery if needed.
Hidden Tear's Back to Casting Spells on Your Media
An independent threat actor who calls himself 'The Magic' is beginning the first steps towards a campaign of data attacks and extortion, using the often-abused source code of Hidden Tear. While his Hidden Tear variant isn't complete, the Trojan displays no impediments regarding its primary attacks, which can lock files with an encoding algorithm, hijack some cosmetic elements of the Windows UI, and create ransom messages. Unlike a majority of HT family members, malware experts are correlating this new Trojan, The Magic Ransomware, with a payload for Italian-based systems explicitly.
Once The Magic Ransomware compromises a compatible, Windows PC by means still subject to speculation, the Trojan scans for data types that it can lock with encryption. Traditional targets of such attacks include Microsoft Office-based content, other text documents like Adobe's PDF, and pictures like JPG or GIF. After blocking the files from opening with an AES-based encoding method, The Magic Ransomware adds the '.locked' extension to their names (which is a symptom common to many versions of the HT family).
The Magic Ransomware also replaces the user's desktop wallpaper with a 'You've been hacked' warning image, and drops a text message for the victim's file-unlocking instructions. The latter asks, in Italian, for an equivalent of 100 Euros in Bitcoins before providing the decryption service that could unlock all encrypted media.
Although all of the above features are working, malware analysts also identified concealed network activity from The Magic Ransomware that, currently, contacts a fake, placeholder domain. Future updates, most likely, will modify this connection so that The Magic Ransomware can upload attack information to the threat actor's C&C server or download other content, such as the key to its cipher.
How to Dispel a The Magic Ransomware with a Wave of Your Hand
One of the most threatening aspects of Hidden Tear as a compromised software is that it gives even threat actors with little to no experience a working tool for blocking files without needing any additional effort. Although 'The Magic' has yet to finalize the last touches of The Magic Ransomware's network support, The Magic Ransomware is still capable of locking data automatically and may cause damage that's not always reversible. Malware analysts always recommend having backups scheduled regularly for eliminating the possibility of permanent data loss, but free decryption programs also are available for many, if not all variants of Hidden Tear.
The Magic Ransomware may be targeting Italian speakers in particular, but its distribution methods have yet to suffer confirmation from any sources in the PC security industry. Future attacks may attach its installers to forged email messages, bundle it into free downloads, or use exploit kits that can attack unprotected PCs through their browsers. Anti-malware products with active threat detection functions and file-scanning technology should block or delete The Magic Ransomware before any locking of local media occurs.
Overall, The Magic Ransomware is less of a new threat than one con artist's tailoring of an old one to suit his plans for undeserved revenue. Perhaps its most important detail is that it shows how threat actors remain interested in targeting their Trojan campaigns regionally, which could lead to improved depth in their social engineering attacks.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.