Home Malware Programs Ransomware Wana Decrypt0r Trojan-Syria Editi0n Ransomware

Wana Decrypt0r Trojan-Syria Editi0n Ransomware

Posted: June 19, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 18
First Seen: June 19, 2017
Last Seen: September 12, 2020
OS(es) Affected: Windows


The Trojan-Syria Editi0n Ransomware is a Trojan that uses a Hidden Tear-based encryption to try to hold the files on your PC hostage in return for ransom money. Although its accompanying symptoms represent this Trojan as being a new version of the WannaCryptor Ransomware, these cues are misleading, and like the ransom demands should be ignored. Recover your files from backups if you can do so, and use anti-malware products to remove the Trojan-Syria Editi0n Ransomware or prevent it from encrypting your media.

Syria Gets Sucked into the Whirlpool of Cryptocurrency Extortion

Although the WannaCryptor Ransomware and its numerous updates are, possibly, at the height of their success, threat actors from other campaigns are just as happy to take the name and run with profits. The Trojan-Syria Editi0n Ransomware is one of the newfound Trojans that malware experts confirm for using visual cues that misrepresent its proper lineage, which most closely ties back to the Hidden Tear family. Although it's an incomplete project, relatively minor updates to the Trojan could let it leverage file-encrypting attacks that block your media until you agree to pay (and even afterward).

The Trojan-Syria Editi0n Ransomware does include most of Hidden Tear's AES-based function for enciphering text documents, spreadsheets, pictures, and other content, particularly formats related to Microsoft Office programs. While malware experts don't see the encryption attack in a working state, the Trojan-Syria Editi0n Ransomware does insert '.wannacry' extensions into the names of the files it would, theoretically, encrypt.

More identifying than the above is the Trojan-Syria Editi0n Ransomware's other features, which include a 'hacked' image for hijacking the user's wallpaper, and an HTA pop-up. The advanced HTML window is a blatant imitation of the WannaCryptor Ransomware and the Jigsaw Ransomware, and also includes threats that not paying will cause the Trojan to delete your files and even destroy the rest of the PC.

Keeping Clones of Old Trojans out of the Middle East

The implied lies in the Trojan-Syria Editi0n Ransomware's pop-up attacks can shore up the weaknesses in this Trojan's campaign in more than one way. While many versions of Hidden Tear are known for being vulnerable to free decryption programs widely, the Wcry or WannaCryptor Ransomware family is less so, which could keep a victim from trying to recover anything without paying. On the other hand, using an incompatible decryptor can damage your files further and make them truly unrecoverable. Always copy your encrypted files to test any decryption solutions, or use backups to avoid needing such software.

The Trojan-Syria Editi0n Ransomware's campaign is in its beginning stages and has yet to break into the point of live distribution. If it does get that far, infection methods malware analysts see more often than not include spam e-mails, brute-force attacks against business networks, and exploit kits launching through compromised Web content. Both strict security protocols and anti-malware products are valuable for disabling these vulnerabilities or deleting the Trojan-Syria Editi0n Ransomware without letting it lock anything.

The Trojan-Syria Editi0n Ransomware uses a time-tested tactic of pretending to be an even worse threat than an analysis of its code indicates. However, even the least of file-encrypting Trojans can damage data that's precious to its owner, and offer countless reasons why you should keep backing up your work.

Loading...