Researchers have uncovered a new type of ransomware that trashes victims’ Windows system and demands 13 Bitcoins in payment – one of the largest malware-based ransoms seen to date.
Lawrence Abrams of Bleeping Computer explains how the ransomware, which has been dubbed “7ev3n”, encrypts .DOC, .JPG, .PDF, and other common file types according to a unique process:
“When a computer is infected, the ransomware will scan all of the drive letters that match certain file extensions and when it finds a match rename them into numbered sequences of files with the .R5A extension. For example, if a folder contains 25 data files, the ransomware will encrypt and rename all the files to 1.R5A, 2.R5A, 3.R5A … 25.R5A.”
Once the ransomware has successfully infected a victim’s files, it displays a ransom message that demands 13 Bitcoins (approximately $5,100 USD). This note includes a Bitcoin address where ransom payments should be submitted:
As if paying thousands of dollars in ransom weren’t bad enough, 7ev3n also installs a number of files to the %LocalAppData% folder. These include %LocalAppData%system.exe, which is the main executable of the ransomware; %LocalAppData%del.bat, which removes the ransomware’s installer; and %LocalAppData%time.e, which contains a timestamp of when the infection began.
The destructiveness of these files pales in comparison to that of %LocalAppData%bcd.bat, however. Included in that particular install are several BCDEDIT commands which disable a number of critical Windows recovery options, including the Windows Emergency Management System, the Boot Options Editor, and Startup Repair.
“Now that 7ev3n has effectively locked you out of any recovery options, it will also add a registry entry that disables keys commonly used to troubleshoot Windows such as Alt+Tab, Task Manager and the Run dialog. It does this by adding a special registry value that disables the F1, F10, F3, F4, Enter, Escape, Left Alt, Left Ctrl, Left Windows, Num Lock, Right Alt, Right Ctrl, Right Shift, Right Windows, and Tab keys.”
Clearly, this particular ransomware is not to be trifled with.
At this time, there is no way for a victim to recover their files without paying the ransom unless they have a backup.
Even after victims regain control of their computer, they must invest some time in resetting the damage caused by the ransomware. This involves the use of a Windows installation disc to reactivate the recovery options originally disabled by 7ev3n. Once this is complete, a user can then enter into Safe Mode and remove all of the files installed by the ransomware. Installing a reputable anti=virus program and letting it run on your computer should clean up the rest.
Clearly, not only are ransomware authors upping the ante with regards to their ransom demands. They are also designing their malware to leave a lasting impact on their victims’ machines.
With this in mind, users need to protect themselves by implementing regular software updates, maintaining an updated antivirus solution on their computers, and backing up their data often. These small steps could help save you thousands of dollars and a lot of time spent restoring your PC to a workable state.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.