Victims of a new form of ransomware that appeared just weeks ago can now retrieve their encrypted files without having to pay a bitcoin ransom.
Discovered in early August, RansomWarrior appears to be the work of hackers working out of India, if the inclusion of "Have a good day with the love from India" on the ransom note is to be believed.
The file-locking malware targets Microsoft Windows users and is delivered to victims via an executable named 'A Big Present.exe' which, if run, will encrypt files with a .THBEC extension.
The attackers offer victims the opportunity to decrypt two files for free but the note also reminds victims that if they don't pay the ransom, they won't get their files back.
Victims are also intimidated into not reporting the attack to the police, with the attackers claiming law enforcement "can't help you".
Researchers at Check Point analysed RansomWarrior and found it to be the work of seemingly inexperienced attackers, and were able to retrieve the decryption keys from the malware.
Check Point succeeded due to the weak encryption used by the ransomware, which is a stream cipher that uses a key randomly generated from 1000 hard-coded keys in the RansomWarrior binary code.
As the key's index is saved locally on the victim's computer to provide the means of unlocking the files, researchers have been able to build a decryption tool for anyone infected by RansomWarrior.
While many cyber criminals have switched focus to cryptocurrency mining malware as a stealthier and less risky means of acquiring bitcoin and other cryptocurrencies, ransomware still remains a prominent cyber threat.
Instead of deploying mass spam campaigns in an effort to infect as many users as possible, the most successful ransomware campaigns have developed new tactics.
In many cases, the attackers put time and effort into compromising whole networks before eventually pulling the trigger on the ransomware infection.
It's this form of targeted campaign that helped one cyber criminal operation make over $6m, and which continue to net an additional $300,000 each month.
READ MORE ON CYBER CRIME
- WannaCry ransomware crisis, one year on: Are we ready for the next global cyber attack?
- Fake cryptocurrency app installs ransomware on your computer (CNET)
- This new ransomware campaign targets business and demands a massive bitcoin ransom
- Avoid ransomware payments by establishing a solid data backup plan (TechRepublic)
- No more ransomware: How one website is stopping the crypto-locking crooks in their tracks