It’s now commonplace for cryptovirological operators to write more lethal and persistent variants of existing ransomware strains. Ransomware removal experts have recently identified a new variant of Shade or Rapid ransomware lingering in the cyberspace.
Perpetrators Name it After a Previous Extension
The developers of this new variant of Shade/Rapid have named it ‘no_more_ransom’, an extension used in previous exploits. Researchers are calling it an improved version of Shade ransomware that unpacks more quickly. Moreover, the new variant is using two different encryption modules to lock down files on the targeted device.
The developers of no_more_ransom are using both RSA-2048 and AES-CBD 256 to encrypt the files. The purpose of using multiple encryption modules is to give tough time to cybersecurity researchers in devising the decrypter. The original decryption keys are stored in remote servers, which are only accessible to the perpetrators.
Mocking an Anti-Ransomware Project
A couple of months ago, a group of independent ransomware removal experts has initiated a project named ‘No More Ransom’ to help cryptovirology victims all around the world. The main goal of this project is to save users from getting exploited by the hand of operators. The group is providing its free decryption services in more than two dozen languages to cater to affected users from different regions.
As of now, the group has come up with decryption solution for 10 different ransomware strains. The group is providing decryption solution for four GandCrab variants as well. Shade operators have taken a dig at No More Ransom Project by naming a new variant after the project. The Project experts haven’t developed decryption keys for Shade or Rapid ransomware so far. So, it will be interesting to see how they respond to that insult thrown by cryptovirological operators.
Use of RAT Tool
To make their exploits yielding, Shade operators have incorporated RAT in no_more_ransom infections. Before unloading the cryptovirological payload, these operators spy on the targeted user through Remote Administration Tool (RAT). The RAT activity has been incorporated to monitor the targeted people in order to come up with customized ransom demands.
In each ransom note, the attackers give an email address and a link to follow on Torr Network in case they are unable to reply from the email within two days. Cybersecurity experts fear that this new variant will be used to target organizations operating in the public domain. They have come to this conclusion by keeping in mind the shenanigans of Shade ransomware.
The best strategy against any cryptovirological activity is to have your critical data backed up in more than one secure place. The immediate ransomware removal services also play important role in mitigating the degree of a cryptovirological attack.