Home Malware Programs Ransomware YourRansom Ransomware

YourRansom Ransomware

Posted: February 6, 2017

Threat Metric

Threat Level: 5/10
Infected PCs: 7
First Seen: February 6, 2017
Last Seen: October 21, 2022
OS(es) Affected: Windows

The YourRansom Ransomware is a Go programming language-based Trojan that can encrypt your files, change their extensions and create text messages for recovering your data theoretically. Many decryption services promoted by remote attackers aren't necessarily reliable, and keeping backups can prevent you from needing to take risks with a file-decoding solution. Any PCs with adequate anti-malware protection also should have few issues with deleting the YourRansom Ransomware when it tries to install itself.

Freeware Trojans for Costly Data Attacks

Just as wellsprings are responsible for rivers, open-source code is one of the recurring fonts of new software, including Trojans. One problematic campaign is traceable back to a Chinese project its author offers for perusal on GitHub. Within a month, another threat actor has taken advantage of the example program to create the YourRansom Ransomware, an English-targeting Trojan whose file-locking attacks may be irreversible.

Many of the variants of file-encoding Trojans malware experts identify are low-effort clones that modify an extension or a ransom address without touching the internal code to any real degree. However, the YourRansom Ransomware is not such a copycat, and its author appears to have significant changes, resulting in behavioral differences that hurt the victim's ability to access the decryptor. Overall, its features include:

  • Although the YourRansom Ransomware ignores files in 'sensitive' locations, such as the Windows folder, it scans most other directories for formats such as DOC, MPG, TXT or ZIP. It encrypts these files automatically. Unlike the various file-encrypting Trojans deploying against such targets as mid-sized businesses, the YourRansom Ransomware also displays a visible window while the encryption function runs, which could help you identify and terminate it before it finishes.
  • The Trojan places a '.youransom' extension at the end of each filename affected by the previous attack without removing any first extension (for example: 'picture.gif.youransom').
  • The YourRansom Ransomware creates a simple Notepad 'ransom' message for contacting its author for help along with a file that stores the encryption key. Unlike the original version of the program, malware analysts can confirm that the YourRansom Ransomware doesn't save the code for decryption locally or transfer it to a remote C&C server. Without the second code, data recovery by decryption is impossible.

Your Best Way out of a the YourRansom Ransomware Issue

In theory, a remote attacker could offer a data-decoding service for anyone affected by the attacks of their file-encrypting Trojans, although the practical reality of recovery chances may be less than ideal. In the case of the YourRansom Ransomware, the lack of local or network-based saving of the pertinent unlocking data means that the author must keep the decryption key hard-coded and in his possession preemptively. In any scenario where that's not the case, or he fails to offer the code, the victim will be unable to restore any files without using a traditional backup.

The YourRansom Ransomware isn't in large-scale deployment, and malware experts judge it as being improbable as a threat intended for compromising financially-meaningful targets. Small-scale Trojans of the YourRansom Ransomware's type sometimes bundle themselves with free downloads or disguise their installers as being cracks, or other, equally illicit software. Any anti-malware product capable of identifying similar threats also should remove the YourRansom Ransomware without problems; copying your files to an external server also guarantees that they suffer no extra damage.

If being generous, one could describe the YourRansom Ransomware as being either 'educational' or 'just a joke.' On the other hand, a joke from one perspective can be long-term file problems from another point of view, which is why saving spares to another device is so valuable to the rest of the PC community.

Loading...