WinUpdatesDisabler Ransomware
Posted: June 16, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 2,627 |
|---|---|
| Threat Level: | 8/10 |
| Infected PCs: | 14,413 |
| First Seen: | June 16, 2017 |
|---|---|
| Last Seen: | October 16, 2023 |
| OS(es) Affected: | Windows |
The WinUpdatesDisabler Ransomware is a Trojan that locks files on your PC by encoding them with a cipher. Despite its name, the WinUpdatesDisabler Ransomware uses attacks copied the Hidden Tear family, although it also may disable some Windows features. Keeping additional copies of your files in a location that's not at risk of attack, and having anti-malware protection are the two defenses most effective against this Trojan, and most anti-malware programs should delete the WinUpdatesDisabler Ransomware before it installs.
Trojans Enabling Cash Flow by Disabling Everything They Can
Hidden Tear is a Trojan family long recognized for its capacity to disable specialized Windows tools, including the Command Prompt, Task Manager and Registry Editor. Not so coincidentally, all of these programs also are useful for isolating security issues related to threatening software, including file-encrypting projects like HT. While most threat actors don't innovate after misappropriating Hidden Tear's code significantly, malware analysts are witnessing the design of an Eastern European variant, the WinUpdatesDisabler Ransomware, that could change that.
Current samples of the WinUpdatesDisabler Ransomware don't show evidence of features meant to disable the Windows Update feature specifically, which is one of the clues pointing towards the Trojan's incomplete status. However, malware experts can verify that the WinUpdatesDisabler Ransomware continues using an encryption-based attack borrowed from the same methodology as other versions of Hidden Tear. The attack encrypts and locks the contents of multiple folders found on Windows systems: Documents, Music, My Pictures and My Videos. The Trojan also attacks the entire D partition, if one is present.
When the encryption routine completes, the WinUpdatesDisabler Ransomware places a text message on the user's desktop. The Serbo-Croatian message provides little information, besides a generic request for money to unlock your files currently.
Don't be a Trojan Enabler
Whether the WinUpdatesDisabler Ransomware's name is meant to fool its victims into thinking that the Trojan is even worse than it is, or the threat actor intends to increase the scope of its software-disabling feature, is indeterminate. Trojans that interfere with essential security processes, particularly ones like the WinUpdatesDisabler Ransomware that launch automatically, always should be disabled before attempting removal. Safe Mode or, in extreme situations, booting from a secondary drive directly can help you avoid starting this threat and proceed with disinfection.
Avoiding long-term loss of files from a WinUpdatesDisabler Ransomware infection may be possible with custom decryption programs for Hidden Tear. However, ongoing work on new variants of old Trojans interferes with the decryption process frequently, and malware researchers find no recovery solution simpler than having a backup that Trojans can't damage. Preferably, your anti-malware products will catch and remove the WinUpdatesDisabler Ransomware when it tries to attack your PC through such methods as installing itself through a compromised e-mail attachment.
The WinUpdatesDisabler Ransomware's name might be an unfortunate omen of new attacks to come from the Hidden Tear family, or it may be one of the many bluffs that threat actors include in their data-ransoming attacks. Whether it's an example of psychological manipulation or ambitious updates, there's no excuse to let your files be at risk.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.