Home Malware Programs Ransomware The Magic Ransomware

The Magic Ransomware

Posted: October 18, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 80
First Seen: October 18, 2017
OS(es) Affected: Windows

The Magic Ransomware is a Trojan that locks your files using a Hidden Tear-based, data-encrypting feature. Although some elements of The Magic Ransomware's configuration remain in development, malware experts still deem it a likely threat to any saved media on the infected PC. Users seeing symptoms of an attack, such as changes to extensions or desktop backgrounds, should have their anti-malware products eliminating The Magic Ransomware before taking any other steps for data recovery if needed.

Hidden Tear's Back to Casting Spells on Your Media

An independent threat actor who calls himself 'The Magic' is beginning the first steps towards a campaign of data attacks and extortion, using the often-abused source code of Hidden Tear. While his Hidden Tear variant isn't complete, the Trojan displays no impediments regarding its primary attacks, which can lock files with an encoding algorithm, hijack some cosmetic elements of the Windows UI, and create ransom messages. Unlike a majority of HT family members, malware experts are correlating this new Trojan, The Magic Ransomware, with a payload for Italian-based systems explicitly.

Once The Magic Ransomware compromises a compatible, Windows PC by means still subject to speculation, the Trojan scans for data types that it can lock with encryption. Traditional targets of such attacks include Microsoft Office-based content, other text documents like Adobe's PDF, and pictures like JPG or GIF. After blocking the files from opening with an AES-based encoding method, The Magic Ransomware adds the '.locked' extension to their names (which is a symptom common to many versions of the HT family).

The Magic Ransomware also replaces the user's desktop wallpaper with a 'You've been hacked' warning image, and drops a text message for the victim's file-unlocking instructions. The latter asks, in Italian, for an equivalent of 100 Euros in Bitcoins before providing the decryption service that could unlock all encrypted media.

Although all of the above features are working, malware analysts also identified concealed network activity from The Magic Ransomware that, currently, contacts a fake, placeholder domain. Future updates, most likely, will modify this connection so that The Magic Ransomware can upload attack information to the threat actor's C&C server or download other content, such as the key to its cipher.

How to Dispel a The Magic Ransomware with a Wave of Your Hand

One of the most threatening aspects of Hidden Tear as a compromised software is that it gives even threat actors with little to no experience a working tool for blocking files without needing any additional effort. Although 'The Magic' has yet to finalize the last touches of The Magic Ransomware's network support, The Magic Ransomware is still capable of locking data automatically and may cause damage that's not always reversible. Malware analysts always recommend having backups scheduled regularly for eliminating the possibility of permanent data loss, but free decryption programs also are available for many, if not all variants of Hidden Tear.

The Magic Ransomware may be targeting Italian speakers in particular, but its distribution methods have yet to suffer confirmation from any sources in the PC security industry. Future attacks may attach its installers to forged email messages, bundle it into free downloads, or use exploit kits that can attack unprotected PCs through their browsers. Anti-malware products with active threat detection functions and file-scanning technology should block or delete The Magic Ransomware before any locking of local media occurs.

Overall, The Magic Ransomware is less of a new threat than one con artist's tailoring of an old one to suit his plans for undeserved revenue. Perhaps its most important detail is that it shows how threat actors remain interested in targeting their Trojan campaigns regionally, which could lead to improved depth in their social engineering attacks.

Loading...