Rastakhiz Ransomware

The Rastakhiz Ransomware is a new version of Hidden Tear, a Trojan that demonstrates encryption features that can block the user's files until a threat actor provides the decryption key. These attacks are particularly likely of targeting media like movies, pictures, or text documents, and this specific family is compatible with most Windows machines. Always have your anti-malware products quarantine, block or uninstall the Rastakhiz Ransomware as soon as possible, and keep backups that can protect your files from any inadvertent damage during an infection.

Hidden Tear's Coming out of Hiding Again

This month's trend of a regular trickle of Hidden Tear-based development is holding constant, with new versions like the Rastakhiz Ransomware being notable, primarily, as introductions of threat actors. The Rastakhiz Ransomware version of the HT family has no extreme changes to its file-locking feature, which uses a simple encryption cipher to keep victims from opening different files types that might be valuable to them. On the other hand, this threat's attacks do include some odd choices in C&C communications and a new template of pop-up warning.

The Rastakhiz Ransomware searches for and encodes files on the infected machine with potential filtering for both the format of data (such as DOC or JPG), as well as the location (such as the Downloads folder or desktop). It also appends a '.RASTAKHIZ' extension to the name of each piece of data it locks this way although it doesn't remove the original extension necessarily. The Trojan also uploads the unique code for cracking the cipher to one of two Gmail accounts under the control of its threat actor.

After this, the Rastakhiz Ransomware loads an HTA-template pop-up that delivers a general warning of the attack and information related to paying its ransom. The Rastakhiz Ransomware offers conflicting information on whether or not it has a timing limit for paying, which is one of the several indications malware experts note as signs of the Trojan being half-made. It also includes links for a Bitcoin-based ransom, a related ID number, and the decryptor (which does require the threat actor's decryption key). The timer element in this window is non-working currently.

Stopping the Tears over Losing Your Files

Regarding its data-enciphering functions, Hidden Tear isn't a very secure Trojan, and some public decryption programs can break the file-locking encoding that different versions of the family employ. Malware experts recommend backing up any locked content before testing these solutions, which may cause additional data corruption. However, even more importantly, preventative backups can protect your media from the original encryption attack and help with restoring files without needing the decryption service.

The Rastakhiz Ransomware campaign has yet to be verifiable for attacking either recreational PC users or targets like the corporate sector. Most threat actors distribute file-locker Trojans by attaching them or their installers to e-mail spam, although a minority use alternatives, like exploit kits. Many anti-malware programs can block drive-by-download attacks and delete the Rastakhiz Ransomware or disguised threats that could install it.

Depending on your choice of backup service, backing your files up every time you update them can be an onerous chore or a triviality. Whether it's the former or the latter, Trojans like the Rastakhiz Ransomware are a constant prompt always to take the time or neglect it at a cost in Bitcoins.