THT Ransomware

The THT Ransomware or TimisoaraHackerTeam Ransomware is a file-locking Trojan that encrypts recreational and work-based formats of digital media, such as Word or Adobe documents, and holds them for ransom. Paying this Bitcoin cost is, at best, a risky recovery solution, and users who can't restore their files from backups should request help from cyber-security experts with cryptography experience. Standard anti-malware programs may remove the THT Ransomware safely or quarantine it without allowing the locking of your local files.

Romanian Hackers Getting into the File-Ransoming Business

Criminals either operating in Romania or using the implication as a false lead are launching attacks with a new file-locker Trojan. The THT Ransomware, whose overarching family, if any, has yet to be definable, is using a combination of encryption for locking media and creating Notepad ransoming instructions. This payload has structural similarities with other Trojans of 2018, including the CryptConsole v3 Ransomware, Patagonia92@tutanota.com Ransomware, and many versions of Hidden Tear.

Although the THT Ransomware claims that it uses the AES-256 encryption, malware researchers have yet to corroborate this assertion, and file-locking Trojans issue inaccurate statements on the security of their features frequently. The file-encrypting routine is most likely of harming data associated with Microsoft Office software, as well as other office products, pictures, audio, and general storage (such as compressed archives or Windows' restore points). Any symptoms for the user may be minimal or not present while the THT Ransomware runs this attack.

The text instructions that the THT Ransomware creates for its victims provide instructions in grammatically incorrect English, suggesting that the threat actors aren't native speakers of the language. The only personally-identifiable information it offers is a free e-mail address, as part of the ransoming process for buying a decryption service, which references Romania's third most populated city of Timișoara. The note also includes another, unsubstantiated boast about the experience of its team of threat actors, who supposedly are responsible for hundreds of separate, business sector-targeting attacks. Again, malware analysts can't confirm the claim and have yet to uncover any evidence of the THT Ransomware in circulation before late June.

Slowing Down the Start-Up of File Ransom Collection

The THT Ransomware is, almost certainly, both younger than it claims and more derivative of amateur or open-source software, such as EDA2 and Hidden Tear, than its ransom notes imply. However, for any victims, none of its other characteristics outweigh the unusual nature of its ransom price: ten Bitcoins, which converts to over sixty thousand USD, at current rates. Even for corporation-targeting campaigns, file-locking Trojans ask for more than a single Bitcoin rarely, and this cost further emphasizes the questionable value of trusting a criminal's word on a ransom transaction.

Many file-locker Trojans compromise new PCs after misleading victims into opening unsafe e-mail attachments or links, which could hide their payloads as invoices, delivery updates or messages from coworkers. Users should be cautious about enabling macros or opening unusual Word or PDF documents especially, both of which have high rates for exploitation in drive-by-download attacks. Anti-malware protection should facilitate deleting the THT Ransomware securely at any stage of infection attempts, but unlocking your files with a decryptor may or may not be a possibility.

The THT Ransomware makes many assertions but expects users to take all of these claims on blind faith. Readers with even a superficial familiarity with how file-locker Trojans operate should be aware that this is a self-destructive and, in this case, unnecessarily expensive thing to do equally.