EyLamo Ransomware

Posted: June 27, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	76

First Seen:	June 27, 2017
OS(es) Affected:	Windows

The EyLamo Ransomware is a modified version of Hidden Tear, which was meant to demonstrate how threatening, file-encrypting attacks can lock files for profit. It still can encode your media to stop you from opening them and uses multiple means of delivering its ransom notes to ask for money. One always should try free recovery options first, and malware experts suggest deleting the EyLamo Ransomware with anti-malware tools before recovering the encoded media from backups, when practical.

More Extortionists Coming out of Hiding

The arguably poorly-named Hidden Tear is fast becoming one of the most widely distributed of file-enciphering Trojans among threat actors with negligible programming experience. Although waiting for the symptoms of an attack to occur usually will provide results, the cost of the delay can place your files in a scenario where they're irretrievable. As one of many examples, our malware experts recommend looking at the newly made the EyLamo Ransomware.

The EyLamo Ransomware, named for its self-identified author, uses most of the code of Hidden Tear with few changes, besides providing new ransoming demands. Effects of an infection include the following symptoms and attacks:

The EyLamo Ransomware scans the PC without displaying a user interface, searching for files that it can determine by their formats, filename strings, sizes or locations. Content worth encrypting (such as documents, pictures, or audio) is encoded with an AES cipher to lock it from being readable.
The Trojan also swaps the victim's desktop wallpaper with a custom image that informs them about the attack and tells them to read the ransom note.
Lastly, the Notepad file serving as a ransoming message asks you to pay either Bitcoins or 'kebab' (the latter, most likely, sarcastically) to decrypt and unlock your files.

The Issues with Giving Con Artists the Benefit of the Doubt

While the EyLamo Ransomware does give a wallet address for paying, it eschews some of the most important (from the view of a victim) associated information. By not using an identification number or other means of correlating infections with Bitcoin payments, the EyLamo Ransomware leaves its victims extremely open to paying without anything back for the price. Furthermore, the EyLamo Ransomware's family of Hidden Tear is one that malware analysts are noting as being highly compatible with freeware decryptors that will not charge for the decoding process currently.

Although the EyLamo Ransomware's author's name contains some trace Spanish, all of the Trojan's components communicate in English and provide minimal hints of the campaign's geographical spread. The Trojan may be bundling with other downloads, circulating with the help of other threats, such as the RIG Exploit Kit or be attached to forged spam e-mail. Most anti-malware products are capable of covering these infection vectors, if allowed, and can remove the EyLamo Ransomware without its file-locking attack having a chance to trigger.

Hidden Tear has never been less 'hidden' than recently, but threat actors appear to be making enough profit off of exploiting it to continue the practice. Stopping to consider the dangers of ransoms or the virtues of backups is an act with a self-evident payoff for thwarting the EyLamo Ransomware and similar campaigns.

EyLamo Ransomware

Threat Metric

More Extortionists Coming out of Hiding

The Issues with Giving Con Artists the Benefit of the Doubt

Leave a Reply