Recently during some research on encrypting ransomware we came across a new variant that brings some new features to the table. It will encrypt by utilizing the following javascript from being opened as an attachment from email (posing as some document file).
Malicious script from email
Once full encrypted you’ll get a popup text document informing you that all your files have been encrypted and how to pay money to get your key to decrypt. This specific sample is Russian, and the instructions were also in Russian so I didn’t show it here. The really interesting thing about this variant that I wanted to share is that once it finishes it actually shows you a twitter feed that populates a tweet every time someone pays the ransom. I suspect this does increase the chance that people will pay the ransom.
Blurred out emails of the victims who paid
Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants – remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.
“Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud.”
Can you elaborate on this a bit?
dsm55 More great info here: https://www.brighttalk.com/webcast/8241/127363
TH
Thanks for sharing this informative post, Webroot provides great protection against virus and online spywares.