Home Malware Programs Ransomware UpdateHost Ransomware

UpdateHost Ransomware

Posted: February 9, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 461
First Seen: February 9, 2017
Last Seen: May 3, 2023
OS(es) Affected: Windows

The UpdateHost Ransomware is a new version of Hidden Tear, an ex-open-source Trojan that can lock your files through encryption-based ciphers, which con artists exploit for ransoming money from the victims. Because they may or may not give you any decryption assistance, paying any fees they demand is a sub-optimal response that you should eschew in preference for enacting responsible backup strategies. Because of this threat's basis on a set of thoroughly-analyzed code, most anti-malware products can identify and remove the UpdateHost Ransomware on sight.

New Reasons for Tears Coming out of Hiding

Two months into the new year, Hidden Tear already is proving its worth to less talented threat actors by being the foundation for the attack campaigns of threats like the SkyName Ransomware, the MafiaWare Ransomware, the Hidden-Peach Ransomware, and the newest of its relatives, the UpdateHost Ransomware. Based on its file data, the Trojan seems to be distributing itself while disguising as a component of Windows, possibly as an update or patch. Information about its intended targets is limited, although malware experts find that the UpdateHost Ransomware doesn't conform to the standards of file-encrypting Trojans meant for sabotaging commercial or industrial targets.

The UpdateHost Ransomware modifies some essential Windows files, including the Kernel Security Driver, to assist its installation and long-term persistence on the PC. When done, it scans your drives for files fitting the list of formats its threat actors consider worth encrypting (and, consequently, locking out of opening): compressed archives, pictures, documents, and a handful of other, equally common data types. Each locked file is identifiable from the '.locked' extension that the UpdateHost Ransomware places at the end of their names.

One of the UpdateHost Ransomware's last actions creates a Notepad message for the victim to read, containing an English text that malware experts have yet to link to other Trojan campaigns. The instructions ask for the Bitcoin currency to restore your files, but leave the exact amount of the ransom undetermined, possibly to let the threat actor negotiate an optimal price. The additional presence of some Cyrillic characters also may be the evidence of a link between this Trojan or its author to Russia or nearby nations.

Making Sure a Trojan's Update is an Outdated Problem

Decryption solutions for Hidden Tear-based threats do exist without requiring transferring money to con artists, which is, inherently, a high-risk solution. However, the UpdateHost Ransomware's threat actors may make changes to the encryption method that hinders any data recovery efforts. Anyone needing to keep their files safe should be sure to back them up to a low-risk location, such as a detached device or a protected Web server.

Prior attacks by Trojans using fake Windows updates to hide their installations may correlate with exposure to threatening websites and drive-by-download kits, which malware experts recommend curtailing via the appropriate browser settings. Many anti-malware utilities also have good rates for identifying Hidden Tear-based threats, and keeping them active can allow you to remove the UpdateHost Ransomware without its file-enciphering attack ever occurring.

While the UpdateHost Ransomware is a small executable file with a limited payload, its authors select encryption targets that are most likely to be in wide use carefully. A Trojan's humble origins and payload may not correspond to minimal damages, either to your saved data or your finances.

Loading...