Home Malware Programs Ransomware Korean Ransomware

Korean Ransomware

Posted: August 17, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 65
First Seen: August 17, 2016
OS(es) Affected: Windows


The Korean Ransomware is a file encrypting Trojan deploying itself against victims in Korea currently, with the purpose of acquiring ransoms in return for decrypting the content that it encrypts during its original execution. Standard anti-malware security should be able to remove the Korean Ransomware before it finishes encrypting your data, and keeping backups also can render your information less vulnerable to these attacks.

A New Hidden Tear Falls on Korea

Hidden Tear is a by-now-infamous source code project developed for educating security researchers on the functions of malicious file encryptors originally. As they often do, threat authors have since hijacked this repository of code for creating threatening software to deploy in the wild. August has delivered a new variant of this threat in the form of the Korean Ransomware, which, as per its name, uses components all localized for targeting victims in North or (more likely) South Korea.

The Korean Ransomware continues using AES-256 as the preferred standard for encrypting a victim's digital content.The Korean Ransomware scans for and attacks files matching non-essential formats and directory locations, such as work spreadsheets or saved downloads, while excluding the Windows OS. The Trojan also renames each file with a new extension (the term 'encrypted' in the Korean characters) that it appends to the original one.

After using encryption to block your data, the Korean Ransomware creates two ransom messages, one in a Notepad text format, and one in an HTML pop-up. Malware experts noted the latter for being interactive and including detailed payment processing instructions, although the graphics design is more limited than usual. Victims are asked to navigate to a TOR address to buy back the decryption service for their information, a process that helps protect the anonymity of the Korean Ransomware's admins.

Taking a Nation Back from Threats

The Korean Ransomware's greatest significance lies in the distinctive specialization of its geographical targeting, with its multiple ransom messages and custom extensions all localized for Korea. While the majority of file encryption Trojans examined by malware researchers utilize English preferentially, the Korean Ransomware shows that PC users in other regions also are at risk of the same attempts at digital extortion. Keeping one or more backups in a non-local hard drive is a solution recommended for preserving any critical files from being damaged, potentially permanently, by any threats of the Korean Ransomware's category.

Symptoms of the Korean Ransomware infections, such as its pop-up, are high in visibility, but load after the Korean Ransomware already has encrypted your files. Web-browsing security steps, such as disabling scripts, avoiding unsafe websites, and scanning e-mail attachments all are advisable for blocking potential infection vectors. While you may remove the Korean Ransomware and other Hidden Tear-based Trojans with the anti-malware program of your choice, most victims will need separate solutions for restoring any damaged data.

Threatening software, much like the money they seek to gather, is a global concern. Whether you live in North Korea, South Korea, or an entirely different continent, stopping campaigns like the Korean Ransomware's is up to your personal security measures.

Related Posts

Loading...