Korean Ransomware
Posted: August 17, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 65 |
First Seen: | August 17, 2016 |
---|---|
OS(es) Affected: | Windows |
The Korean Ransomware is a file encrypting Trojan deploying itself against victims in Korea currently, with the purpose of acquiring ransoms in return for decrypting the content that it encrypts during its original execution. Standard anti-malware security should be able to remove the Korean Ransomware before it finishes encrypting your data, and keeping backups also can render your information less vulnerable to these attacks.
A New Hidden Tear Falls on Korea
Hidden Tear is a by-now-infamous source code project developed for educating security researchers on the functions of malicious file encryptors originally. As they often do, threat authors have since hijacked this repository of code for creating threatening software to deploy in the wild. August has delivered a new variant of this threat in the form of the Korean Ransomware, which, as per its name, uses components all localized for targeting victims in North or (more likely) South Korea.
The Korean Ransomware continues using AES-256 as the preferred standard for encrypting a victim's digital content.The Korean Ransomware scans for and attacks files matching non-essential formats and directory locations, such as work spreadsheets or saved downloads, while excluding the Windows OS. The Trojan also renames each file with a new extension (the term 'encrypted' in the Korean characters) that it appends to the original one.
After using encryption to block your data, the Korean Ransomware creates two ransom messages, one in a Notepad text format, and one in an HTML pop-up. Malware experts noted the latter for being interactive and including detailed payment processing instructions, although the graphics design is more limited than usual. Victims are asked to navigate to a TOR address to buy back the decryption service for their information, a process that helps protect the anonymity of the Korean Ransomware's admins.
Taking a Nation Back from Threats
The Korean Ransomware's greatest significance lies in the distinctive specialization of its geographical targeting, with its multiple ransom messages and custom extensions all localized for Korea. While the majority of file encryption Trojans examined by malware researchers utilize English preferentially, the Korean Ransomware shows that PC users in other regions also are at risk of the same attempts at digital extortion. Keeping one or more backups in a non-local hard drive is a solution recommended for preserving any critical files from being damaged, potentially permanently, by any threats of the Korean Ransomware's category.
Symptoms of the Korean Ransomware infections, such as its pop-up, are high in visibility, but load after the Korean Ransomware already has encrypted your files. Web-browsing security steps, such as disabling scripts, avoiding unsafe websites, and scanning e-mail attachments all are advisable for blocking potential infection vectors. While you may remove the Korean Ransomware and other Hidden Tear-based Trojans with the anti-malware program of your choice, most victims will need separate solutions for restoring any damaged data.
Threatening software, much like the money they seek to gather, is a global concern. Whether you live in North Korea, South Korea, or an entirely different continent, stopping campaigns like the Korean Ransomware's is up to your personal security measures.