DecryptIomega Ransomware
The DecryptIomega Ransomware is a Trojan that targets network-attached storage devices and removes their files but leaves behind a ransom note. Paying may or may not provide any data-recovering services from the threat actor. Users should take precautions suitable for preventing any exploitation of Linux software vulnerabilities and use anti-malware products for identifying or deleting the DecryptIomega Ransomware when it shows up.
Lenovo Iomega Fans Have Problems Worth Crying Over
Software vulnerabilities are coming into play as the lynchpin that's helping a new type of file-ransoming Trojan find its way onto backup storage hardware. The DecryptIomega Ransomware, which is specific to Lenovo Iomega products, targets digital media on the compromised device by still-unknown means that may or may not include encryption. It couldn't do so without the help of Sambacry – a classic Linux vulnerability.
SambaCry, or CVE-2017-7494, is a Samba-based vulnerability that lets remote attackers execute arbitrary code. By exploiting it, they can create a backdoor into the NAS device and run the DecryptIomega Ransomware. Whether or not the DecryptIomega Ransomware blocks or deletes files isn't known to malware analysts. They only can verify that the Trojan removes most data from the infected storage device. Instead of documents, pictures, or other files, the victim finds nothing more than the DecryptIomega Ransomware's ransom message.
The DecryptIomega Ransomware's note is more conventional than its environment or attack strategy and asks for Bitcoins for a prespecified wallet. As of late July, although the account is experiencing some transactions, the numbers don't align with its ransom demands of 0.03 Bitcoins. Malware experts recommend avoiding paying since it's highly likely that the DecryptIomega Ransomware is deleting files instead of uploading them to a server.
Keeping Criminals from Doing the Samba Over Your Media's Graves
Samba is a standard inclusion in most installations of Linux. Users can, however, protect themselves by installing the appropriate patches for closing SambaCry. Ubuntu, Debian, and other Linux-derived forks have their own, specific sources and package versions that counter the vulnerability. As usual, users who install updates regularly are at little to no risk from attackers abusing this method of infection.
Malware researchers, so far, see no instances of the DecryptIomega Ransomware's compromising NAS devices other than the brand in its name. However, network-attached storage is equally at risk from file-locking Trojans like the eCh0raix Ransomware, the QNAPCrypt or thr Basilisque Ransomware. If it's practical, users shouldn't depend solely on NAS backups, or other, often-compromised resources, like Windows Shadow Copies.
Anti-malware products of most vendors can delete file-locking Trojans and other, ransom-based threats with few impediments. In cases of this Trojan's using a new infection vector, victims can depend on their security software for blocking the DecryptIomega Ransomware and removing it preemptively.
The DecryptIomega Ransomware is part of a rising wave of NAS-hostile Trojan software. Criminals adjusting their attacks to increasingly-specific hardware is unhappy tidings for anyone who's too invested in a particular brand.