Home Malware Programs Ransomware WinWord64 Ransomware

WinWord64 Ransomware

Posted: August 21, 2020

The WinWord64 Ransomware is an independent, file-locking Trojan that blocks media files by encrypting them, and holds them for a ransom. Other symptoms include extension changes in files' names and multiple pop-up alerts that relay the Trojan's Bitcoin-based ransom demands. Users with secure backups have adequate protection from any data loss, and high-quality anti-malware software should remove the WinWord64 Ransomware in a majority of cases.

A Trojan Has a Word Too Many with Someone's Files

The lack of a connection with a Ransomware-as-a-Service doesn't make a file-locking Trojan any cheaper for those who experience its attacks, and the WinWord64 Ransomware easily keeps apace with the financial expectations of any RaaS. This recently-analyzed threat is an independent Trojan for Windows environments. Its attacks are potent but straightforward: encrypting files, and a ransom demand for no less than five hundred USD in Bitcoins.

The WinWord64 Ransomware's name is a possible disguise as an installer or update for the 64-bit version of Microsoft's Word. However, its executable doesn't include a legitimate version of that program, in a bundle or otherwise. Once it launches, the WinWord64 Ransomware sets Registry changes for its persistence, contacts a remote server (most likely, one hacked by the threat actor) in an HTTP POST request, and starts its encryption routine. The encryption attack searches for files of formats such as PNGs, JPGs, GIFs, DOCs, TXTs, PDFs, and similar media and locks them.

The WinWord64 Ransomware uses a generic 'encrypted' extension on these files, but its ransom note is slightly different from the typical example. The threat generates two pop-ups, one with a Matrix-themed taunt, and the other with its ransom request for Bitcoins. Possibly-unfortunately for the victim, and assuredly for the attacker, the address is a nonexistent wallet and might be a placeholder or a typo.

Readers should note that, despite the theme in its warnings, malware researchers can see no overt connections between the WinWord64 Ransomware and the well-known AES-Matrix Ransomware family.

Cutting Trojan Words Short for Safety's Sake

Due to the self-professed name, malware experts recommend that users watch for infection methods that may distribute the WinWord64 Ransomware through Word-related cracks, updates or fake installers. Torrent networks and illicit 'warez' sites are, often, footholds of file-locking Trojans, particularly families like the STOP Ransomware. Even in the best of cases, the use of illicit software comes with inherent security risks besides those from law enforcement.

Concerning the recovery of files, malware researchers can find no currently-evident weaknesses in the WinWord64 Ransomware's encryption algorithms. Despite this obstacle, users may have unaffected Restore Points and always should have non-local backups for the definitively-reliable restoration options. Media formats like documents are highly at risk but not the sole targets necessarily, even though the WinWord64 Ransomware is unlikely to harm program installations or the operating system.

Updates to anti-malware products' databases will improve detection chances for new threats like the WinWord64 Ransomware.

With a name that suggests brand appeal through mainstream software, the WinWord64 Ransomware might be a well-thought-out tactic or just a vanity project. Either way, it's another reason not to install every program that asks for it, regardless of their names.

Loading...