Taka Ransomware

The Taka Ransomware is a Trojan that encrypts your files to solicit ransom payments in Bitcoins. Its installation vehicles distribute themselves through fake e-mail messages before downloading the Taka Ransomware from a Web domain currently. You can protect your PC from the Taka Ransomware's attacks by keeping backups in locations that the Trojan can't access and using anti-malware applications able to detect this threat and its installers.

The Worst Kind of Triple X Files to Have

While e-mail services make it possible to communicate with both friends and business partners at revolutionary speeds, threat authors, and administrators of threatening software campaigns make just as much use of the technology as everyone else. The Taka Ransomware, a Trojan still in development with an emphasis on encrypting files non-consensually, is a look at how a threat actor can use an e-mail message to compromise a PC, damage its contents, and profit from the scenario. Comparable strategies also are in use by a range of other, unrelated Trojan campaigns.

The Taka Ransomware doesn't distribute itself, but, instead, leverages Trojan downloaders that its threat actors send through forged e-mail messages. PC owners tricked into launching the attachments subject themselves to the Trojan's automatic download of the Taka Ransomware from one of three websites. Most likely not coincidentally, all of these sites are Japan-based, even though the Taka Ransomware's ransom scheme targets English speakers.

The first Trojan installs the Taka Ransomware, using a randomly generated name to the Program Files directory, and the Taka Ransomware proceeds with encrypting your files using AES combined with RSA to encode the resulting key. The first, visible symptoms of the Taka Ransomware infections only occur after these attacks, when malware experts noted the Taka Ransomware appending '.xxx' extensions to the encrypted content, as well as generating text messages and interactive pop-up windows. The latter two are means of conveying the Taka Ransomware's ransom, which its threat actor insists on taking place in Bitcoin currency within a three-day time limit.

Cleaning Up a Trojan's 'XXX' Act

The Taka Ransomware disguises its installation method as safe content, conducts attacks without symptoms until the victim incurs file damage, takes steps to protect its encryption method from any decryption efforts, and adds a time limit to its extortion instructions. The result is a traditional infection scenario where a victim may compromise his PC and then be tempted to pay to 'make it right.' However, the Taka Ransomware has no built-in decryption service linked to its ransom strategy, making it easy for a threat actor to renege on their word after taking the money.

Another, mildly unusual feature in the Taka Ransomware's campaign is unrelated to this Trojan's code. Instead of using the victim's personal e-mail address for any communications, the threat actor uses the Taka Ransomware's built-in pop-up for receiving confirmations of transactions and claims that he'll provide a public e-mail account for the victim containing the necessary decryption solutions (both the key and the decryption app).

In contrast to the recommendations of the Taka Ransomware's notes, malware experts recommend keeping your anti-malware tools enabled and deleting the Taka Ransomware (or quarantining it, if appropriate PC security researchers request samples). Victims should avoid restarting their PCs, which can re-launch the Taka Ransomware through its Task Scheduler entry and, potentially, encrypt more content.

Except for the oddity of its decryption conveyance, the Taka Ransomware is a classical example of how Trojans focusing on file encryption operate in 2016. And like almost all, similar threats, malware experts keep recommending backups, anti-malware security, and safe e-mail behavior as the keys to keeping this Trojan campaign from being damaging permanently.

Technical Details