The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) has warned users of an ongoing distribution campaign for Tyrant ransomware.
First spotted by G Data security researcher Karsten Hahn, the strain is currently making its way to unsuspecting users via modified versions of the Psiphon VPN app.
Upon successful infection, Tyrant demands victims pay the equivalent of $15 within 24 hours. Its Farsi-written ransom note directs affected users to complete payment via one of two local payment processors, exchanging.ir and webmoney724.ir. The threat also provides them with email@example.com and the Telegram username @Ttyperns as means of contacting the attackers.
— Karsten Hahn (@struppigel) October 16, 2017
Tyrant doesn’t always succeed in encrypting a victim’s files, however. Iran CERTCC elaborates on this observation in an alert:
“Initial analysis suggests that this is the first version, or trial, of a larger attack because despite the encryption operation, sometimes the [ransomware] does not succeed in encrypting victim files, and moreover, despite the fact that there are many changes in the victim’s system registry, it is not able to maintain its functionality after rebooting the system.”
It therefore comes as no surprise that Tyrant is actually a member of DUMB, a family of ransomware based on proof-of-concept code published on GitHub and later forked by others. First spotted by Bleeping Computer founder Lawrence Abrams in January 2017, DUMB’s early variants used simplistic XOR encryption and saved the encryption key in their encrypted file. This made decryption easy, reports Bleeping Computer’s Catalin Cimpanu. So easy, in fact, that one variant self-decrypted as soon as a victim closed out the ransom note.
Security researcher MalwareHunterTeam is investigating whether users can decrypt the ransomware the same way as (Read more...)
This is a Security Bloggers Network syndicated blog post authored by David Bisson. Read the original post at: The State of Security