WinSec Ransomware

Posted: April 13, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	42

First Seen:	April 13, 2017
Last Seen:	October 18, 2020
OS(es) Affected:	Windows

The WinSec Ransomware is a file-encrypting Trojan using a code based on the Hidden Tear family primarily. Its attacks can block your PC's files from opening and display interactive pop-ups that may ask for ransom money. PC users with anti-malware protection to block or delete the WinSec Ransomware by default can protect their files preemptively while having a remote backup can prevent any data-ransoming scenarios efficiently.

Another Tear Falls with Some Extra Sparkle

The threat actors who borrow other people's code to launch threat campaigns aren't usually known for putting more than the bare minimum of effort into their attacks. Periodically, however, some of them may make updates for the sake of enhancing either the appearance or functionality of the end product. The WinSec Ransomware is one such resultant piece of threatening software: a Hidden Tear-based Trojan that uses ransoming methods upgraded slightly from the expected standards of that family.

Not every function of the WinSec Ransomware shows large changes from past Hidden Tear Trojans like the Kampret Ransomware or the Barrax Ransomware. Just as they do, the WinSec Ransomware enumerates your local drives to find files to hold hostage by encrypting them, with examples of victimized data including DOC or PDF documents, XLS spreadsheets and JPG pictures. The WinSec Ransomware also retains the extension-appending feature and adds the popular '.locked' tag to the names of any media it encrypts.

Malware experts noted only significant alterations in the ransoming note that the WinSec Ransomware drops on the victim's desktop. Instead of being the usual Notepad text file, the WinSec Ransomware's message uses an interactive HTML interface with a built-in, three-step form for ransoming the decryption key from the Trojan's author. Portuguese is the WinSec Ransomware's only supported language, so far, making regions like Brazil at a very high risk of being targets.

Wiping Up an Extortionist's Teardrops

Although the ease of use inherent in a more sophisticated GUI than a plain text message could increase the WinSec Ransomware's ransom-receiving rates, paying isn't any more beneficial for the infected PC's user necessarily. The threat actor still may retain the decryption key without any risk of having the ransom money refunded. Additionally, the ransoming form also could double as a way of phishing the victim's e-mail address for other attacks.

Backups are the most reliable data restoration option against threats of this type, although malware analysts warn that the WinSec Ransomware's family often deletes default Windows backups. Copy your media to portable storage devices or external servers to eliminate the chance of the WinSec Ransomware removing the backup while it's encrypting the originals. Different anti-malware products also can detect and delete the WinSec Ransomware as a threat before any encryption can occur.

Little data yet is available on how the WinSec Ransomware's threat actors are spreading it to new PCs. Anyone using Portuguese in their daily Web-browsing activities may wish to be cautious around infection vectors like suspicious e-mail attachments and use backups to keep a new effort at ransoming unprotected data from rewarding con artists for their hard work.

WinSec Ransomware

Threat Metric

Another Tear Falls with Some Extra Sparkle

Wiping Up an Extortionist's Teardrops

Related Posts

Leave a Reply