Home Malware Programs Ransomware ExpBoot Ransomware

ExpBoot Ransomware

Posted: July 16, 2019

The ExpBoot Ransomware is an update of the T1Happy Ransomware, a file-locker Trojan. Early releases of the ExpBoot Ransomware omit the encryption that blocks your files but can display ransom-themed warnings, superimpose itself over your desktop, and change filenames automatically. Users should prepare backups as a precaution against worse attacks from this threat and have their anti-malware services remove the ExpBoot Ransomware whenever they detect it.

Time to Get Unhappy about the T1Happy Ransomware Again

The threat actors toying with the code of the T1Happy Ransomware are showing off an interest in extorting money from Chinese Windows users, although how they are doing so is a work-in-progress. The ExpBoot Ransomware, the update to the previous, file-locker Trojan, has cut the encryption routine that's responsible for blocking the victim's files. On the other hand, its other features are working, and the addition of a basic, secure AES encryption attack would take little time for even a questionably-competent programmer.

While it doesn't 'lock' documents, pictures, or other files, the ExpBoot Ransomware does append 'ExpBoot' extensions to their names. Removing this extension is the only action that's necessary for restoring the document or other content to normal, for now. However, other features in the ExpBoot Ransomware's payload that are more completely-developed may hinder any Windows UI access.

The ExpBoot Ransomware generates a traditional 'screen-locker' pop-up: a borderless window that blocks the desktop and other windows. The threat actors use it for delivering a ransom (which they refer to as a 'battery') and provides a countdown, language selection, and a decryption button. Further details in the ransom instructions link to a Chinese website that processes the payment, although malware experts see no connection to an automatic decryption feature.

Being Thankful for Bad Programming in Worse Programs

Many of the ExpBoot Ransomware's characteristics are implicative of the Trojan's being unready for live deployment. Although its presence in centralized threat databases is distinct from that of old versions of T1Happy Ransomware, malware researchers haven't seen any infection scenarios against the public. Some versions of the ExpBoot Ransomware even include sufficiently severe bugs that the program will crash after starting up, thanks to throwing a .NET Framework error.

However, users shouldn't place hopes of their digital media's safety on a Trojan's always malfunctioning. Proper backup strategies, such as saving files to removable devices or remote servers, can offer appropriate recovery options against nearly any file-locker Trojan. The Restore Points, also, may be available in some cases, although most of the families of file-locker Trojans that malware experts examine include functions for wiping them.

Windows-compatible anti-malware tools should experience no difficulties in uninstalling the ExpBoot Ransomware or stopping its installation; this threat has no significant protection against third-party security tools.

Although the ExpBoot Ransomware's ransom method suggests that China is at the most risk from its campaign, anyone can become the incidental victim of a file-locking infection. If they're lucky, they may encounter a glitchy version of the ExpBoot Ransomware – but it's better not to leave the integrity of your work up to Lady Luck.

Loading...