Wooly Ransomware
Posted: August 29, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 9,038 |
|---|---|
| Threat Level: | 10/10 |
| Infected PCs: | 1,590 |
| First Seen: | August 29, 2017 |
|---|---|
| Last Seen: | October 15, 2023 |
| OS(es) Affected: | Windows |
The Wooly Ransomware is a Trojan that encrypts your files using AES to stop other programs from opening them. Its attacks may be for soliciting ransom payments for a decryption service its threat actor provides, although malware experts determine that current builds are for testing purposes. Use backups to keep this Trojan from damaging your files irrevocably and have an anti-malware program remove the Wooly Ransomware as soon as a detection occurs.
A Real Bear of a File Problem
As threat actors test how their Trojans fare against the threat detection solutions in use by different AV vendors currently, they also open up their new products to outside analysis. Through these means, malware experts acquire periodic samples of Trojans that are unfinished but retain enough functionality to cause damage to an infected PC. Such is the case with the Wooly Ransomware, a Trojan that displays full AES-based encryption features, but lacks any ransoming instructions and still uses traditional, CMD-based debugging output.
The Wooly Ransomware searches for media of different formats, such as JPG, BMP, DOC, or XLS, and encrypts them with an AES algorithm. It also generates two RSA-protected keys (hard-coded numbers with 'woolybear' strings included) for keeping the encryption from being too easy to decode and appends '.wooly' extensions onto the names of every file that it locks. While running through these attacks, the Wooly Ransomware opens the Windows Command Prompt and uses it for outputting debug messages for each file automatically. It doesn't try to hide the attack's purpose, and victims may be able to terminate the Wooly Ransomware before it finishes encoding everything included in its scan.
Malware experts also confirm that the Wooly Ransomware has some limited Trojan downloader functionality that lets it install the TOR Web browser. This Web-browsing program is often meant for assisting with ransom-paying transactions by giving the victim access to an anonymity-protected C&C site. However, the Wooly Ransomware doesn't include any messages on how to pay or even its threat actor's email address.
Getting beyond a Trojan's Fluff
Thanks to Windows retaining its place as the most-preferred operating system overall, threat actors still are designing Trojans with a high-compatibility with that OS in mind. As a .NET Framework Trojan, the Wooly Ransomware can run on almost any version of Windows and cause permanent damage to files, such as text documents. Victims always may contact third-party security researchers for decryption assistance, but decrypting a Trojan's cipher is sometimes impractical. Malware experts recommend personally using backups for preserving any files that are invaluable and keeping those backups detached from all potentially compromised computers.
In-progress Trojans like the Wooly Ransomware may deploy themselves through multiple strategies eventually. Spam emails and RDP-based hacking by remote attackers are two examples of infection vectors for high-value targets, such as private businesses, but individuals also can compromise their PCs through such methods as downloading mislabeled freeware or visiting piracy websites. Anti-malware products can block or remove the Wooly Ransomware, and good security practices (such as not using overly simple passwords) can eliminate the other vulnerabilities that threat actors abuse.
The Wooly Ransomware is showing the classic signs of a Trojan being 'geared up' towards an intentional campaign of extortion with a basis on taking files hostage. Windows users shouldn't make the process any easier than it needs to be and protect their data by all appropriate means.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.