7ev3n ransomware alters name, asks for much lower ransom

David bisson
David Bisson


A variant of 7ev3n ransomware has modified its name and begun asking victims for a considerably lower ransom fee than it was seeking just a few months ago.

Security researchers originally detected the 7ev3n ransomware back in January of this year.

Though it hasn’t been around for long, this crypto-malware sample has already made waves for several distinguishing features, such as a ransom fee of 13 Bitcoins (more than US $5,000), an encryption process by which all encrypted files are renamed according to a numbered sequence with the .R5A extension, and a file named “%LocalAppData%bcd.bat” which disables several critical Windows recovery options.

Sign up to our free newsletter.
Security news, advice, and tips.

Together, these functions ensure each victim of 7ev3n doesn’t just get hit in their wallet. They also require an affected user to invest considerable time in resetting the damage inflicted by the ransomware. That includes using a Windows reinstallation disc to reactivate the deleted recovery options, removing all the files installed by the ransomware, and scanning an infected machine with an anti-virus solution.


That phase of 7ev3n might be over, however.

In a recent post, Lawrence Abrams of Bleeping Computer explains that a new variant of 7ev3n has implemented a few changes.

“A security researcher named Mosh has discovered  a new variant of the 7ev3n Ransomware, which has rebranded itself as 7ev3n-HONE$T. This ransomware will encrypt your data and then ransom your files for approximately $400 USD in bitcoins.”


There is still very little known about the new variant. For instance, while Mosh has confirmed 7ev3n-HONE$T relies on the same encryption process as that of its predecessor, it is unclear how the ransomware is distributed and whether it still installs several damaging files onto a victim’s computer.

Neither is there mention made of why the new variant asks for a ransom fee of only one Bitcoin (approximately US $400).

Perhaps the original ransom fee of 13 Bitcoins was simply too high and did not net the malware authors as much money as they were expecting. Alternatively, perhaps the ransomware’s source code was leaked online, which prompted a less ambitious computer criminal to seize upon it and use it for their own gain.

At any event, the ransomware still poses a danger to victims, for there is no way to decrypt 7ev3n-HONE$T without paying the ransom.

Until more is known about this new variant, users are urged to follow the usual ransomware prevention tips: do not click on suspicious links or email attachments, keep an updated anti-virus solution installed on their computer at all times, and implement software patches as soon as possible.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.