Home Malware Programs Ransomware ViiperWaRe Ransomware

ViiperWaRe Ransomware

Posted: October 18, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 9
First Seen: October 18, 2017
Last Seen: January 8, 2020
OS(es) Affected: Windows

The ViiperWare Ransomware is a file-locking Trojan that can block media, such as documents, with a Hidden Tear-based encryption feature. The symptoms of such attacks may be minimal or nonexistent until the damage occurs, after which it forces the victim into paying ransoms for the threat actor's decryption code. Like any Hidden Tear variation, malware analysts advise having standard anti-malware protection for isolating and removing the ViiperWare Ransomware, and backups for safeguarding your files.

The Fanged Face of Incoming Computer Problems

Threat actors that have either no time or talent for creating dedicated RaaS campaigns often prefer using already-free resources for developing minor variations of old Trojans, such as the global phenomenon that is Hidden Tear. The distribution exploits and strategies enabling these threats can be as variable as the hands that operate them, such as the Italian-based The Magic Ransomware, or the relatively generic ViiperWare Ransomware. The second of these two Trojans provides few details about its future campaign, and malware experts are classifying it as incomplete currently, but needing little updating to become a data security hazard.

After its installation, the ViiperWare Ransomware searches for files according to both their formats and locations, with the threat actor configuring the Trojan to damage only content in a 'test' desktop folder currently. The ViiperWare Ransomware appends '.viiper' extensions onto this media, in addition to encoding it with what malware experts estimate is a derivative of an AES-based encryption. This attack blocks the target content from opening until the user decrypts it, which requires the custom code or key.

This first attack gives no identifiable symptoms for the victim to detect that might provoke attempts to terminate the ViiperWare Ransomware's process. However, the ViiperWare Ransomware's threat actor does generate a pop-up message after the fact, using an HTML executable (or HTA) file to deliver the ransoming demands for the file-unlocking code. The snake-themed window gives a generic set of ransoming instructions asking for the equivalent of twenty Euros (or roughly twenty-three USD), with embedded features for assisting with this payment.

Defanging a Common Predator of Files

Like many incomplete Trojans, the ViiperWare Ransomware's main limitation is the text field for which locations it scans and encodes. Its author could change this value readily and release a version of the ViiperWare Ransomware that could damage files anywhere on the victim's PC, including the operating system's directory or the directories of other, essential programs. However, malware researchers usually find these attacks targeting work-related media that would be most suitable for ransoming, such as documents, spreadsheets, slideshows, pictures, audio, and databases.

Depending on whether or not the ViiperWare Ransomware's author makes any further alterations to the Trojan's file-locking feature, any users with locked media may be able to decode and restore their files with help from appropriate, free decryption software. If freeware solutions prove incompatible, then only the presence of a backup dating to before the attack can help retrieve the data without paying. Whatever other steps the victim takes, malware analysts recommend removing the ViiperWare Ransomware with a professional anti-malware product that already is well-versed in detecting Hidden Tear's many variants.

Even the basest and most well-examined threats like Hidden Tear will continue spawning new versions until their victims provide reasons for the con artists to switch tactics. The ViiperWare Ransomware's ransoms are very far from being the most costly of those that malware experts are finding, but remain equally demonstrative of the fact that neglecting the security of your file storage comes with a regularly-renewed expense.

Loading...