Sekhmet Ransomware

The Sekhmet Ransomware is a file-locking Trojan that can keep documents and other media on your PC from opening. Other symptoms of infections include random extensions on your files' names and a text note recommending negotiating a ransom through a TOR website.

Egyptian Warfare on a Very Different Battlefield

Mythological themes aren't strange to file-locking Trojans, as readers might know from the old attacks of the Hermes837 Ransomware, the Minotaur Ransomware, the RagnarokCry Ransomware, or the Apophis Ransomware. However, a new arrival, the Sekhmet Ransomware, shows no tangible trail back to any of these potential ancestors. While it has the hallmarks of a Ransomware-as-a-Service, malware experts estimate the Sekhmet Ransomware's being unique currently, for now.

The Sekhmet Ransomware uses the Egyptian mythology's goddess of war for its namesake, although its payload is orienting itself towards English-speakers as the victims, conventionally. As a threatening Windows program, it resembles such families as the Globe Ransomware or Hidden Tear by leveraging a two-algorithm encryption routine for blocking files like documents or pictures. The encryption choice of RSA and ChaCha (a relative of the Salsa20 cipher family) is, however, notably untraditional.

Along with blocking these files, the Sekhmet Ransomware implements another, archetypal feature in a strange way: by adding pseudo-random extensions onto every captive file. The randomization is per file, rather than per PC, and malware experts are observing length variances from four to six characters. Such a choice is odd, considering that it counters the intention of helping victims survey the extent of the damage to their digital media quickly.

Soothing the Savage Beast that's in Your Computer

The lion-headed goddess from whence the Sekhmet Ransomware gets its theme informs its ransoming strategy to almost no extent. It uses the conventional setup of anonymous, TOR websites for taking payments, and offers a 'chat room' style interface for the negotiations with the victims. Although there's no information on current prices for the Sekhmet Ransomware decryptors, users should remain wary of paying in non-refundable methods, particularly, for a possibly buggy or fictitious service.

Users should save backups onto other devices at all times for recovery from file-locking Trojans. Less likely but possible recovery options also include advanced Shadow Volume Copies-based restoration tools and assistance from security researchers with cryptographic education. On average, unlocking files is possible in one out of every ten attacks, for 'professional' Trojans like the Sekhmet Ransomware, which are business enterprises effectively.

Anti-malware products also form an effective defensive option for nearly all PC owners, including Windows users who are at risk from this campaign.

Several versions of the Sekhmet Ransomware are pretending that they're DLL files. While these dynamic-link library files are crucial for many programs, the false extension doesn't guard the Trojan against deletion by any proper anti-malware service – just like the Trojan can't extend its reach across protected and detachable devices.