The ‘[email protected]’ Ransomware is a Trojan that encrypts files on your PC and inserts an e-mail address into their names. The con artists operating from that address may pose as security technicians or request money in exchange for helping you decrypt your data. If possible, use other methods of restoring any data, in addition to any standard anti-malware tools capable of identifying and removing the ‘[email protected]’ Ransomware from your hard drive.
Slimming Down Your Files to Fatten a Con Artist’s Wallet
Ransoming strategies vary wildly between different Threat campaigns and may range from upfront attempts to frighten a victim to passive-aggressive tactics that offer to ‘fix’ your PC in exchange for payment. One of the most succinct social engineering patterns malware experts see in recent threats is a tendency to provide contact information and nothing else, leaving the details of the extortion to the con artists or an automated mail handler. The ‘[email protected]’ Ransomware is one such threat accompanying its file encrypting features with this minimalist method.
The ‘[email protected]’ Ransomware installs itself through a standard executable file with its name consisting of a random string of characters. The encryption function targets data types, such as documents, and, as usual, shows no evidence of displaying symptoms that would alert a victim during its activation. The only sign of the attack taking place and locking your media with encryption technology is the changes of names to the non-functioning data. The ‘[email protected]’ Ransomware appends both its e-mail address and an extra extension to each encrypted piece of data.
Malware experts have not correlated any other Trojan campaigns with the ‘[email protected]’ Ransomware’s tag of choice, the ‘.tar’ string, which also has associations with a legitimate compression format. Although the extension is identical, content enciphered by the ‘[email protected]’ Ransomware is not converted to the real ‘.tar’ format, and is unusable until the victim leverages a decryption solution.
Past scenarios of contact between victims and the ‘[email protected]’ Ransomware’s address lead to typical extortion demands, with con artists offering to restore your data in return for Bitcoin payments of four thousand dollars. Notably, the Trojan doesn’t advertise this higher-than-normal ransom sum or the fact that the victim is expected to pay a ransom, anywhere in its payload.
Cutting the Fat Off of a PC Extortion Campaign
The ‘[email protected]’ Ransomware is a possible variant of Trojan-Ransom.Win32.Rotor and other variants of that same family of file encrypting Trojans, but no public decryptors have been found viable against this threat. Current versions of the ‘[email protected]’ Ransomware don’t transfer network data to a remote server, as is typical of Trojans preserving decryption keys in a remote threat actor’s possession. However, the threat actors administrating this campaign do offer ‘trial’ decryption services before receiving payments, most likely enabled by log data the victim transfers on request.
The ‘[email protected]’ Ransomware’s extortion techniques suggest that its campaign targets non-private entities, such as corporate business servers. Most infection methods for these attacks require either poor password management on the victim’s part or unsafe e-mail interactions, such as opening an attached document hosting Trojan-installing vulnerabilities. Until malware experts can further narrow down the exploits at work, use your anti-malware products and safe Web-browsing behavior to detect and delete the ‘[email protected]’ Ransomware before it encrypts any content.
While the ‘[email protected]’ Ransomware includes a hibernation feature, ‘sleeping’ Trojans are not necessarily non-threatening ones, and you should regard this threat as both an active danger to your finances and your files.