A bunch of ransomware hunters have detected a ransomware that has an uncanny resemblance with Maktub. To begin with, the ransom window has the same design and style of Maktub. Furthermore, it is encrypting all the same file extensions that are also vulnerable to the cryptography of Maktub.
Experts have termed it an extension of Maktub with some additional and lethal features. They call it Iron Ransomware, naming it after the decryption tool used to remove Maktub ransomware.
Maktub operators would provide a free key to remove ransomware from one infected file, but that’s not the case with its latest variant. If we talk about the encryption module of Iron ransomware, it has the capability to lock down files with 374 different extensions including stream files of different gaming applications. Like any other ransomware, Iron also exempted some folders from its encryption containing particular words such as Windows, Microsoft, Internet Explorer etc.
Developers Might be of Chinese Origin
The ransomware also exempts folders with words 360rad, 360sand and 360sec. These file names are a part of internet security software developed by a Chinese company Qihoo 360. Aside from that, the resources added by the operators are also in Chinese. Both of these features suggest that the attackers might be of Chinese origin.
This new ransomware strain also deletes the original set of data once the encryption is done. Files in the recycle bin are also deleted with its infection. However, restore points and shadow volume copies remain safe from the cryptovirological activity of this ransomware.
Like any complex ransomware code, Iron also uses Advanced Encryption Standard (AES) to lock down files on the affected device. It’s important to note that normal recovery tools used to restore ransomware files can’t help if AES has been employed by the attackers.
For now, it is impossible to remove this ransomware without the developer’s private decryption key. Some encryption experts think some of the encrypted files can be recovered by using shadow volume copies. It is still unclear whether it’s an extension developed by Maktub operators or some other developer has inspired from their work.
For assistance with file recovery and ransomware removal, please contact MonsterCloud – cyber security experts for a professional ransomware removal.
