'X280@protonmail.com' Ransomware
The 'X280@protonmail.com' Ransomware is a new version of the Estemani Ransomware, a file-locking Trojan. Like its predecessor, it encrypts files for ransoming them via selling the decryptor, although it has an even higher price. Users are prompted to have backups of their work as a precaution, and Windows anti-malware programs should delete the 'X280@protonmail.com' Ransomware preemptively.
Formerly Turkish Trojans Roaming the World, as Predicted
Previous examinations of the Estemani Ransomware lead to the conclusion that the file-locker Trojan of Turkey is getting updates for circulating in other nations. Now, it has a new version, seemingly, bent on proving the theory correct. The 'X280@protonmail.com' Ransomware is, unfortunately, no weaker in encryption, and isn't freely decryptable. As usual, anyone under attack should have a backup that makes any of the significant damage that the 'X280@protonmail.com' Ransomware can cause into a non-problem.
The basics of the 'X280@protonmail.com' Ransomware's payload are the same as with other Trojans throughout other families that are far more well-known than the Estemani Ransomware. It encrypts media such as documents so that they can't open. Since symptoms are limited to nil during this process, interrupting it is a matter of chance, for most users.
Malware experts also are verifying that the Trojan uses CMD and other tools for wiping backups and terminating processes that could interfere with its attack. Due to a customized and securely-held key, the 'locking' feature is secure against third-party unlocking solutions. The use of a manifest-style spreadsheet for a list of the files also is notable, since it's a feature that most of the file-locking Trojan sector eschews, out of preference for adding filename extensions.
Ongoing Mysteries with Trojan Businesses
While there's not much doubt that the 'X280@protonmail.com' Ransomware's aim is making money, other characteristics of its campaign call for additional analysis and samples. This Trojan raises the ransom price for its decryptor roughly double and uses English-languages notes that provide extremely-long IDs for victims. Since it wipes local backups and terminates associated processes, the victims best hope of sparing their media is to have a backup that's not on the system that the Trojan compromises.
Malware experts are associating the 'X280@protonmail.com' Ransomware connections to EXE files without misleading names, digital signatures, or other traits that one might find on phishing-style downloading tactics. The 'X280@protonmail.com' Ransomware may use browser-exploiting threats like the RIG Exploit Kit, attach its installer to a macro-assisted Trojan downloader in e-mailed documents, or merely target servers with preexisting vulnerabilities. Weak logins also are a likely point of attack that administrators should correct.
There also are some possible connections between APT34 or Oilrig and the 'X280@protonmail.com' Ransomware, although this is an unproven estimate. Most anti-malware tools, regardless, should correctly identify and delete the 'X280@protonmail.com' Ransomware.
Trojans putting on their world explorers' hats means that no one is safe from encryption. However, readers already should know that, if they've kept up with the 'X280@protonmail.com' Ransomware's predecessor of the Estemani Ransomware, Hidden Tear, the Jigsaw Ransomware or hundreds of others.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.