WinWord64 Ransomware

Posted: August 21, 2020

WinWord64 Ransomware Description

The WinWord64 Ransomware is an independent, file-locking Trojan that blocks media files by encrypting them, and holds them for a ransom. Other symptoms include extension changes in files' names and multiple pop-up alerts that relay the Trojan's Bitcoin-based ransom demands. Users with secure backups have adequate protection from any data loss, and high-quality anti-malware software should remove the WinWord64 Ransomware in a majority of cases.

A Trojan Has a Word Too Many with Someone's Files

The lack of a connection with a Ransomware-as-a-Service doesn't make a file-locking Trojan any cheaper for those who experience its attacks, and the WinWord64 Ransomware easily keeps apace with the financial expectations of any RaaS. This recently-analyzed threat is an independent Trojan for Windows environments. Its attacks are potent but straightforward: encrypting files, and a ransom demand for no less than five hundred USD in Bitcoins.

The WinWord64 Ransomware's name is a possible disguise as an installer or update for the 64-bit version of Microsoft's Word. However, its executable doesn't include a legitimate version of that program, in a bundle or otherwise. Once it launches, the WinWord64 Ransomware sets Registry changes for its persistence, contacts a remote server (most likely, one hacked by the threat actor) in an HTTP POST request, and starts its encryption routine. The encryption attack searches for files of formats such as PNGs, JPGs, GIFs, DOCs, TXTs, PDFs, and similar media and locks them.

The WinWord64 Ransomware uses a generic 'encrypted' extension on these files, but its ransom note is slightly different from the typical example. The threat generates two pop-ups, one with a Matrix-themed taunt, and the other with its ransom request for Bitcoins. Possibly-unfortunately for the victim, and assuredly for the attacker, the address is a nonexistent wallet and might be a placeholder or a typo.

Readers should note that, despite the theme in its warnings, malware researchers can see no overt connections between the WinWord64 Ransomware and the well-known AES-Matrix Ransomware family.

Cutting Trojan Words Short for Safety's Sake

Due to the self-professed name, malware experts recommend that users watch for infection methods that may distribute the WinWord64 Ransomware through Word-related cracks, updates or fake installers. Torrent networks and illicit 'warez' sites are, often, footholds of file-locking Trojans, particularly families like the STOP Ransomware. Even in the best of cases, the use of illicit software comes with inherent security risks besides those from law enforcement.

Concerning the recovery of files, malware researchers can find no currently-evident weaknesses in the WinWord64 Ransomware's encryption algorithms. Despite this obstacle, users may have unaffected Restore Points and always should have non-local backups for the definitively-reliable restoration options. Media formats like documents are highly at risk but not the sole targets necessarily, even though the WinWord64 Ransomware is unlikely to harm program installations or the operating system.

Updates to anti-malware products' databases will improve detection chances for new threats like the WinWord64 Ransomware.

With a name that suggests brand appeal through mainstream software, the WinWord64 Ransomware might be a well-thought-out tactic or just a vanity project. Either way, it's another reason not to install every program that asks for it, regardless of their names.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to WinWord64 Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware WinWord64 Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.