Home Malware Programs Ransomware WinRarer Ransomware

WinRarer Ransomware

Posted: November 4, 2016

Threat Metric

Threat Level: 8/10
Infected PCs: 54
First Seen: November 4, 2016
Last Seen: October 31, 2021
OS(es) Affected: Windows

The WinRarer Ransomware is a Trojan that moves your files into a password-protected archive and asks for ransom money for the password. Although this payload is less technically sophisticated than those of most file-encrypting threats, the WinRarer Ransomware does block the affected files efficiently and, for users without backups, may be able to prevent a complete recovery from the loss of data. Along with using the backup strategies malware experts always recommend, you also can protect your PC by blocking the WinRarer Ransomware through an anti-malware utility.

Compressing Your Files into Someone's Bottom Line

The past few years have provided testing grounds for a variety of different, often creative methods of holding strangers up for ransom via their computers. Current trends in threat focus on exploiting asymmetric, file-encrypting algorithms that modify the contents of the victim's saved data directly. However, a minority of con artists, like those manning the WinRarer Ransomware campaign, prefer exploiting standard data-compression services. The result is equally effective at blocking content and, therefore, enabling PC hostage scenarios.

Initially, the WinRarer Ransomware scans for files in the root directories of all drives, excluding content flagged as part of the operating system. Similarly to the CryptoHost Ransomware, it also creates an archive (in the case of the WinRarer Ransomware, 'YourFilesHere-0penWithWinrar.ace') to store your files. You can find the folder within the new 'YOUR-locked-FILES' folder. Although the process doesn't damage your content, the Trojan protects its archive with a password known only to its threat actor.

Malware experts' further analysis of the Trojan also confirmed the presence of extortion messages asking for payment in exchange for the above password. The WinRarer Ransomware delivers these messages by hijacking your desktop's wallpaper as well as by dropping an HTML file on the desktop.

Acing a Trojan's ACE Compression Attack

The WinRarer Ransomware may not use the most sophisticated means of blocking your files, but PC owners without available backups may be just as incapable of recovering the content as if the Trojan had encrypted it. While malware experts still advise using redundant storage as the easiest means of keeping any valuable data safe, the WinRarer Ransomware does target some kinds of backup information to block default recovery options. Assuming no glitches with the Trojan's payload, the System Restore feature and the contents of the Windows Shadow Volume Copy are unavailable to its victims.

Recovery options not assailable by the WinRarer Ransomware include backups kept in a password-protected cloud service or a detachable storage device out of contact with the infected PC. Removing the WinRarer Ransomware through standard anti-malware tools and then recovering from one of those two options offers the most efficient way of getting all information back without paying the ransom the WinRarer Ransomware demands.

Other than targeting English-speaking PC owners, the WinRarer Ransomware's campaign provides limited clues into its distribution patterns. Any PC user who doesn't wish to play guessing games with a mystery password locking their files should stay mindful of the infection strategies in recurring use, ranging from e-mail links to brute-forcing RDP systems.

Loading...