Home Malware Programs Ransomware 'blacklist@clock.li' Ransomware

'blacklist@clock.li' Ransomware

Posted: October 25, 2018

The 'blacklist@clock.li' Ransomware is a variant of the Dharma Ransomware, an update of the Crysis Ransomware family of Ransomware-as-a-Service Trojans. Criminals 'rent' these threats for blocking files on arbitrarily-targeted victims' PCs and soliciting ransoms for the unlocking code or program. Anti-malware programs can protect your PC by removing the 'blacklist@clock.li' Ransomware by default, although malware experts strongly recommend keeping a non-local backup for recovery from infections.

The Ways that RaaS Tries to Protect Itself

A new release from the Dharma Ransomware branch of the Crysis Ransomware is running under an attempted cloak of obfuscation, although its results are mixed. The 'blacklist@clock.li' Ransomware is using the premium anti-code analysis program of VMProtect for keeping cyber-security researchers from examining its code, but most products in the industry, still, are detecting it as being a threat. Like the other versions of its fork, such as the bkp@cock.li Ransomware, the Darknes@420blaze.it Ransomware, the 'java File Extension' Ransomware, or the Wallet Ransomware, the 'blacklist@clock.li' Ransomware's likeliest victims are non-secure business networks.

Threat actors tend to install file-locker Trojans from this family after brute-forcing a network's login or tricking victims into opening corrupted e-mail content, such as fake invoices or memos. The 'blacklist@clock.li' Ransomware runs on a file-blocking method that can use Blowfish and AES-based algorithms for disabling the files after searching the network for them, with media formats like AVIs, DOCs, and JPGs being archetypal examples. Although there is a decryptor for free for the Dharma Ransomware sub-family, malware experts haven't verified any compatibility with the 'blacklist@clock.li' Ransomware update.

The data that the 'blacklist@clock.li' Ransomware blocks is searchable from the 'vanss' extension in each name, but the 'blacklist@clock.li' Ransomware also includes another symptom: an advanced HTML or HTA pop-up and a Notepad TXT text file. Both of them provide ransoming instructions using a frequently-seen format that warns of a 'security problem with your PC' and offers the decryptor at the price of an unmentioned amount of Bitcoins. Threat actors are providing a sample as proof of their decryption service, although malware experts don't recommend paying the Bitcoins, which aren't refundable in cases of fraud.

Blacklisting a Rental Trojan before It Black Out Your Media

Belying its attempted subterfuge through VMProtect, the 'blacklist@clock.li' Ransomware is being detected at average rates by most AV brands and associated cyber-security products. However, such software can't protect users who leave their servers at risk of backdoor control from using bad passwords or other login credentials. Monitoring your firewall's port settings and your RDP configuration also is necessary for securing network-accessible systems from such an attack.

Users may test freeware decryptors for the Dharma Ransomware, such as the Rakhni Decryptor, for saving any files that become locked. However, this family of file-locker Trojans is maintained and updated on a professional level and includes periodic changes to the encryption algorithms. Always have backups for the fast recovery of any files that could experience damage from unauthorized software, along with traditional anti-malware tools for deleting the 'blacklist@clock.li' Ransomware as needed.

The 'blacklist@clock.li' Ransomware's threat actors seem to be the same individuals behind the old '.bip File Extension' Ransomware and the '.combo File Extension' Ransomware campaigns. The sooner their victims learn to keep their files protected, the sooner this team of extortionists will abandon the RaaS industry and its countless renditions of the same file-locking Trojans.

Loading...