Unikey Ransomware

Posted: July 5, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	40

First Seen:	July 5, 2017
OS(es) Affected:	Windows

The Unikey Ransomware is a new version of the Hidden Tear-based EyLamo Ransomware. These Trojans can lock the files on your PC by encrypting them, and show symptoms including creating text-based ransoming messages, changing the background wallpaper, and modifying the extensions of your files' names. Although decrypting threats of this type sometimes is possible, using backups is a safer guarantee for preserving any essential media, and anti-malware products can delete the Unikey Ransomware automatically.

Trojans Trading Names for Easy Money

Although the EyLamo Ransomware isn't old particularly, the black market for file-encrypting threats often runs at a high pace, and malware analysts already are seeing samples of a variant of it. The new version, the Unikey Ransomware, is using the same ransoming messages as that old version of Hidden Tear, but also carries with it some minor changes to its payload. No information is available on whether or not the Trojan has been given any updates to how it encodes the victim's files yet.

The Unikey Ransomware continues recycling most of the code of Hidden Tear: a Turkish project meant to demonstrate file-encrypting attacks without deploying them against any real targets originally. However, the Unikey Ransomware's AES-based encoding feature is entirely functional and can block content based on both location (such as the Downloads folder) or format (DOC, XLS, JPG and others). A new feature also includes a '.locked' extension that the Unikey Ransomware appends to their names.

The Trojan's threat actor hasn't made any meaningful changes to the text message the Unikey Ransomware and the EyLamo Ransomware both use for communicating their ransoms. It still uses a Bitcoin-based payment method, which keeps the victims from getting their money back if they pay but don't receive any decoding help.

Keeping Tears from Falling over Hidden Tear Spin-Offs

Any users without better options for restoring their files can copy their locked media and test the compatibility of current Hidden Tear decryption applications, which various security organizations make available without charge. However, until malware experts can confirm the compatibility of such software, backups may remain the only means of truly restoring any data that this threat locks. Making payments to threat actors for acquiring either decryption codes or software is often subject to backfiring, particularly when the currency of choice, like Bitcoin, prevents refunds without the recipient's consent.

It's uncertain why the author felt the need to update his old threat with the Unikey Ransomware's new brand, but the Trojan is complete and ready for release against any victims theoretically, including both business servers and casual PC users. EKs like the RIG Exploit Kit and e-mail-based fake delivery and update messages are two of the traditional ways that Trojans with these payloads can compromise your computer. At current rates of detection, at least half of most brands of anti-malware products on the market can remove the Unikey Ransomware before its encryption starts.

While malware researchers find new versions of Hidden Tear routinely, it's rarer for a spin-off to have another variant within such a short time. Hopefully, PC users will match the Unikey Ransomware's author in scheduling by remembering to patch their software and backup anything important to them.

Unikey Ransomware

Threat Metric

Trojans Trading Names for Easy Money

Keeping Tears from Falling over Hidden Tear Spin-Offs

Leave a Reply