Home Malware Programs Ransomware DRV Ransomware

DRV Ransomware

Posted: February 3, 2020

The DRV Ransomware is a new version of the file-locking Trojan, Hidden Tear. Attacks by this threat can keep media files from opening on your computer, change their extensions to strings referencing the Trojan, and create ransom messages. Users should back their work up onto another device for preserving it from these attacks and use an appropriate anti-malware service for deleting the DRV Ransomware safely in most cases.

Hidden Tear: Unhidden for Mysterious Profiteering

A new quest for ransoms is finding its first victims, even though it's nothing more than a copy-paste of Utku Sen's Hidden Tear freeware. The DRV Ransomware, also referenced as the Lasan Ransomware, is a renamed version of that Turkish programmer's code mostly. Differences besides the names and some cosmetics entail the unusual ransom note that the DRV Ransomware creates primarily – which works at counter-purposes to the usual extortion attempts seemingly.

The DRV Ransomware keeps the encryption that's the hallmark of Hidden Tear: an AES-based, file-locking routine that blocks media formats such as documents, pictures, and dozens of other format types. Along the way, it also gives the files new 'lasan' extensions, deletes the original, non-encrypted versions of the media, and hides its 'info' and 'drv' executable components inside the user's account folder. Malware researchers see no extra features or noteworthy updates to the payload, and the competency of the threat actor deploying this Trojan is open to speculation.

The DRV Ransomware's ransom note, a Notepad file, is the 'interesting' portion of infections. It provides grammatically-poor English messages without e-mail addresses or other contact details. It does, however, appear to anticipate a ransom of some fashion, such as a voucher or a Bitcoin transaction. The wording is likely the output of a translation utility. Despite that, the DRV Ransomware's payload has no language setting-based limitations that restrict the file-locking behavior from running on most Windows computers.

Lessons Best Learned Outside of a Trojan's Class

The DRV Ransomware, as usual, offers no digital signature, or other credentials that would help it with evading detection by the typical security apparatus. It also has some signs of being an incomplete or in-development program. However, thanks to Hidden Tear, its file-locking capabilities are functional. More surprisingly than that, malware researchers also are spotting attacks by this Trojan out in the wild.

The forged copyright details on the DRV Ransomware's installer claim that the program is an educational product, although the type is unstated. Users should be careful around infection vectors that propagate scamware and similarly-fraudulent downloads. Such sources include poorly-rated torrents, pop-ups, malvertising (misleading web advertisements) and Exploit Kits. For the latter, disabling Flash and JavaScript, and installing security updates, will reduce the possibility of a drive-by-download exploit's succeeding.

Most anti-malware products will exterminate Hidden Tear's many variants without issues. This statistical tendency remains applicable to this variant, and users shouldn't attempt removing the DRV Ransomware without proper anti-malware solutions for doing so, in most circumstances.

There is a possibility of decrypting the DRV Ransomware's locked files through free, Hidden Tear-compatible services. However, the chances of doing so drop with ongoing maintenance of this threat, and thus, victims should hope that the author's programming remains as lazy as his linguistics.

Related Posts

Loading...