Rastakhiz Ransomware
Posted: November 20, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 14 |
| First Seen: | September 8, 2021 |
|---|---|
| Last Seen: | April 19, 2023 |
| OS(es) Affected: | Windows |
The Rastakhiz Ransomware is a new version of Hidden Tear, a Trojan that demonstrates encryption features that can block the user's files until a threat actor provides the decryption key. These attacks are particularly likely of targeting media like movies, pictures, or text documents, and this specific family is compatible with most Windows machines. Always have your anti-malware products quarantine, block or uninstall the Rastakhiz Ransomware as soon as possible, and keep backups that can protect your files from any inadvertent damage during an infection.
Hidden Tear's Coming out of Hiding Again
This month's trend of a regular trickle of Hidden Tear-based development is holding constant, with new versions like the Rastakhiz Ransomware being notable, primarily, as introductions of threat actors. The Rastakhiz Ransomware version of the HT family has no extreme changes to its file-locking feature, which uses a simple encryption cipher to keep victims from opening different files types that might be valuable to them. On the other hand, this threat's attacks do include some odd choices in C&C communications and a new template of pop-up warning.
The Rastakhiz Ransomware searches for and encodes files on the infected machine with potential filtering for both the format of data (such as DOC or JPG), as well as the location (such as the Downloads folder or desktop). It also appends a '.RASTAKHIZ' extension to the name of each piece of data it locks this way although it doesn't remove the original extension necessarily. The Trojan also uploads the unique code for cracking the cipher to one of two Gmail accounts under the control of its threat actor.
After this, the Rastakhiz Ransomware loads an HTA-template pop-up that delivers a general warning of the attack and information related to paying its ransom. The Rastakhiz Ransomware offers conflicting information on whether or not it has a timing limit for paying, which is one of the several indications malware experts note as signs of the Trojan being half-made. It also includes links for a Bitcoin-based ransom, a related ID number, and the decryptor (which does require the threat actor's decryption key). The timer element in this window is non-working currently.
Stopping the Tears over Losing Your Files
Regarding its data-enciphering functions, Hidden Tear isn't a very secure Trojan, and some public decryption programs can break the file-locking encoding that different versions of the family employ. Malware experts recommend backing up any locked content before testing these solutions, which may cause additional data corruption. However, even more importantly, preventative backups can protect your media from the original encryption attack and help with restoring files without needing the decryption service.
The Rastakhiz Ransomware campaign has yet to be verifiable for attacking either recreational PC users or targets like the corporate sector. Most threat actors distribute file-locker Trojans by attaching them or their installers to e-mail spam, although a minority use alternatives, like exploit kits. Many anti-malware programs can block drive-by-download attacks and delete the Rastakhiz Ransomware or disguised threats that could install it.
Depending on your choice of backup service, backing your files up every time you update them can be an onerous chore or a triviality. Whether it's the former or the latter, Trojans like the Rastakhiz Ransomware are a constant prompt always to take the time or neglect it at a cost in Bitcoins.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.