Victims of a new form of ransomware that appeared just weeks ago can now retrieve their encrypted files without having to pay a bitcoin ransom.

Discovered in early August, RansomWarrior appears to be the work of hackers working out of India, if the inclusion of
"Have a good day with the love from India" on the ransom note is to be believed.

The file-locking malware targets Microsoft Windows users and is delivered to victims via an executable named 'A Big Present.exe' which, if run, will encrypt files with a .THBEC extension.

Researchers at Check Point analysed RansomWarrior and found it to be the work of seemingly inexperienced attackers, and were able to retrieve the decryption keys from the malware.

Check Point succeeded due to the weak encryption used by the ransomware, which is a stream cipher that uses a key randomly generated from 1000 hard-coded keys in the RansomWarrior binary code.

As the key's index is saved locally on the victim's computer to provide the means of unlocking the files, researchers have been able to build a decryption tool for anyone infected by RansomWarrior.

Read more: Cracking ransomware: RansomWarrior victims can now retrieve files for free | ZDNet

Posted By: Borg 386
31 Aug 2018