WinRarer Ransomware

Posted: November 4, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	54

First Seen:	November 4, 2016
Last Seen:	October 31, 2021
OS(es) Affected:	Windows

The WinRarer Ransomware is a Trojan that moves your files into a password-protected archive and asks for ransom money for the password. Although this payload is less technically sophisticated than those of most file-encrypting threats, the WinRarer Ransomware does block the affected files efficiently and, for users without backups, may be able to prevent a complete recovery from the loss of data. Along with using the backup strategies malware experts always recommend, you also can protect your PC by blocking the WinRarer Ransomware through an anti-malware utility.

Compressing Your Files into Someone's Bottom Line

The past few years have provided testing grounds for a variety of different, often creative methods of holding strangers up for ransom via their computers. Current trends in threat focus on exploiting asymmetric, file-encrypting algorithms that modify the contents of the victim's saved data directly. However, a minority of con artists, like those manning the WinRarer Ransomware campaign, prefer exploiting standard data-compression services. The result is equally effective at blocking content and, therefore, enabling PC hostage scenarios.

Initially, the WinRarer Ransomware scans for files in the root directories of all drives, excluding content flagged as part of the operating system. Similarly to the CryptoHost Ransomware, it also creates an archive (in the case of the WinRarer Ransomware, 'YourFilesHere-0penWithWinrar.ace') to store your files. You can find the folder within the new 'YOUR-locked-FILES' folder. Although the process doesn't damage your content, the Trojan protects its archive with a password known only to its threat actor.

Malware experts' further analysis of the Trojan also confirmed the presence of extortion messages asking for payment in exchange for the above password. The WinRarer Ransomware delivers these messages by hijacking your desktop's wallpaper as well as by dropping an HTML file on the desktop.

Acing a Trojan's ACE Compression Attack

The WinRarer Ransomware may not use the most sophisticated means of blocking your files, but PC owners without available backups may be just as incapable of recovering the content as if the Trojan had encrypted it. While malware experts still advise using redundant storage as the easiest means of keeping any valuable data safe, the WinRarer Ransomware does target some kinds of backup information to block default recovery options. Assuming no glitches with the Trojan's payload, the System Restore feature and the contents of the Windows Shadow Volume Copy are unavailable to its victims.

Recovery options not assailable by the WinRarer Ransomware include backups kept in a password-protected cloud service or a detachable storage device out of contact with the infected PC. Removing the WinRarer Ransomware through standard anti-malware tools and then recovering from one of those two options offers the most efficient way of getting all information back without paying the ransom the WinRarer Ransomware demands.

Other than targeting English-speaking PC owners, the WinRarer Ransomware's campaign provides limited clues into its distribution patterns. Any PC user who doesn't wish to play guessing games with a mystery password locking their files should stay mindful of the infection strategies in recurring use, ranging from e-mail links to brute-forcing RDP systems.

WinRarer Ransomware

Threat Metric

Compressing Your Files into Someone's Bottom Line

Acing a Trojan's ACE Compression Attack

Leave a Reply