The Dridex banking Trojan caused a lot of problems for malware researchers and banking institutions worldwide, and it appears that the team behind this high-profile threat has opted to get involved in another area of harmful software – Ransomware. In July 2017, cybersecurity experts discovered a new ransomware strain dubbed BitPaymer Ransomware, but it took them nearly a year to discover the correlation between this file-encryption Trojan and the cybercrooks behind the Dridex Trojan. After the discovery of this connection and the latest attacks of the group, the file locker in question has been dubbed the Friedex Ransomware, and today we’ll take a closer look at what it is capable of.
The FriedEx Ransomware is Spread Via Fake E-Mails
Attacks with the Friedex Ransomware might be carried with the use of spear-phishing e-mails, but it is also possible that the attackers might use other propagation methods such as attacking vulnerable RDP software and services. The infection procedure takes place in a background process so that the victims are unlikely to note anything out of the ordinary when they execute the FriedEx Ransomware’s payload unknowingly. This threat is meant to encrypt the contents of the files that are likely to contain valuable data so that it is not a surprise that its primary targets are a variety of documents, media files, spreadsheets, archives, and other file extensions associated with various professional computer software.
The FriedEx Ransomware’s primary targets are companies, organizations, and schools so that it is fairly unlikely that a regular user would be targeted by the FriedEx Ransomware. The initial versions of the FriedEx Ransomware asked for a ransom sum of 50 BTC, which is over $60,000. When the FriedEx Ransomware executes its attack, the victim will be left with thousands of encrypted files whose names have been altered to include the ‘.locked’ extension. The demands of the attackers can be found in a simple text file called ‘.readme_txt,’ which will be dropped during the last stage of the attack.
Victims are Taken to TOR Pages for Further Instructions
The authors of the FriedEx Ransomware point their victims to a TOR-based payment page where they will receive further instructions. The ransom note does warn victims that they must pay the ransom fee within 72 hours of the infection, or all of their data will be lost. In addition to this, the FriedEx Ransomware’s authors offer to decrypt several files for free to prove their ability do to this. Last but not least, the payment page also includes some contact details, which appear to be randomly generated e-mail addresses, which rely on the tutamail.com service – [email protected] and [email protected] are two of them.
Unfortunately, the FriedEx Ransomware is a sophisticated piece of ransomware so that finding a free way to decrypt the damaged files is highly unlikely. Victims can remove the FriedEx Ransomware with the help of a trustworthy anti-virus product, but this will not reverse the damage done to their data.