Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Revenge Ransomware

The Revenge Ransomware is a new variant of the CryptFile2 Ransomware and the CryptoShield Ransomware threats that use a very secure encryption to lock the files of their victims. The Revenge Ransomware shares a lot of similarities with both of these threats, but it also uses some new tricks that may improve its chance of infecting targets around the entire world. The first notable thing about the Revenge Ransomware is that the authors have opted to use the RIG Exploit Kit (RIG EK) for the distribution of this crypto-threat. The RIG EK relies on compromised websites that use a small snippet of the JavaScript code to check the visitor’s computer for a vulnerable software that might be exploited to plant the Revenge Ransomware on their computers. These websites may often appear to be safe, but that’s because the hackers who managed to compromise their security have opted to modify the page’s source code without revealing the hack only.

When the Revenge Ransomware infiltrates a computer successfully, it will start its attack by generating a 16-character victim ID key. The encryption technique that the Revenge Ransomware relies on is similar to the one used by the CryptFile2 Ransomware and the CryptoShield Ransomware – an AES-256 key that is then encrypted with an embedded public RSA-1024 key. This makes the Revenge Ransomware’s encryption routine unbreakable practically and, unfortunately, it’s very unlikely that a free decryption utility will be available unless the authors decide to join the good side and release it on their own.

The Revenge Ransomware Uses a Fake Windows Defender Alert to Get Escalated Privileges

One peculiar thing about the Revenge Ransomware’s attack is that it uses a fake alert to convince the user to provide the crypto-threat with administrative privileges. To do this, the Revenge Ransomware spawns an alert box stating that ‘Windows Defender Virus and spyware definitions couldn’t be updated. Click Continue for recovery update soft.’ When the users opt to continue, they’ll see a UAC prompt linked to the command ‘C:\Windows\SysWOW64\wbem\WMIC.exe’ process call to create ‘%UserProfile%\a1x[r65r.exe.’ If the user authorizes this, then the Revenge Ransomware will take over the system and proceed to encrypt the files, change their names, and drop the ransom note. The naming pattern that the Revenge Ransomware uses also is rather peculiar – [16_hex_char_vicimt_id][16_hex_char_encrypted_filename][unknown_8_hex_char_string][8_char_encrypted_filename].REVENGE. It goes without saying that by doing this, the Revenge Ransomware ensures that victims will not be able to find out if they lost any valuable files during the attack easily, and this may motivate them to pay the ransom fee sooner. Another interesting feature of the Revenge Ransomware is that the author has added a script that identifies and terminates a list of processes associated with database servers automatically. This might be done to ensure that Revenge Ransomware will have access to database files, and will be able to encrypt them. Apart from taking additional measures to encrypt database files, the Revenge Ransomware targets over 1,200 unique types of files – for comparison, CryptFile2 and CryptoShield limited their targets to a bit over 400 types of files.

‘===ENGLISH===
All of your files were encrypted using REVENGE Ransomware.
The action required to restore the files.
Your files are not lost, they can be returned to their normal state by decoding them.
The only way to do this is to get the software and your personal decryption key.
Using any other software that claims to be able to recover your files will result in corrupted or destroyed files.
You can purchase the software and the decryption key by sending us an email with your ID.
And we send instructions for payment .
After payment, you receive the software to return all files.
For proof, we can decrypt one file for free. Attach it to an e-mail.

CONTACT E-MAILS:
EMAIL: [email protected]
EMAIL: [email protected]
EMAIL: [email protected]

Victims can find the attacker’s demands in the file called ‘# !!!HELP_FILE!!! #.txt,’ which is located in every folder that contains at least one encrypted file. The ransom sum that the Revenge Ransomware’s authors ask for is not specified and, instead, the ransom message tells victims to send a message to [email protected], [email protected], or [email protected], and to include their victim IDs in the email’s body. Paying the ransom fee is not recommended but, unfortunately, this is the only possible way to recover files locked by the Revenge Ransomware currently. However, users who are considering to co-operate with the attackers should keep in mind that the authors of the Revenge Ransomware don’t provide any guarantee that they’ll decrypt the files when the ransom payment is completed.
[template:aliases][template:removal][template:technical_title][template:files][template:registry][template:additional]



This post first appeared on SpywareRemove, please read the originial post: here

Share the post

Revenge Ransomware

×

Subscribe to Spywareremove

Get updates delivered right to your inbox!

Thank you for your subscription

×