Friday, 12 December 2014

OphionLocker Ransomware Forget To Remove Files Thoroughly

Researchers have discovered a new ransomware variant that uses strong encryption to encrypt files, but because the original file could not be thoroughly erased victims recover their data without having to pay the ransom.

OphionLocker Message

OphionLocker, such as the ransomware by Trojan7Malware is called, spreads via hacked websites and makes use of known vulnerabilities that are not by Internet users are patched to infect their computer. Once active makes ransomware a unique hardware identifier to, based on the serial number of the first hard disk, the serial number of the motherboard and other information.

Asking For Hardware ID - Tor Link

Then it will create a Tor website link to check the specific hardware ID is already encrypted. Hereafter OphionLocker looking for all kinds of files. However it is only for files with file extensions sought in lowercase. A file as photo.jpg will encrypt the ransomware while foto.jpg is about beaten.


To encrypt used OphionLocker elliptic-curve encryption (ECC). As far as known, it is only the second ransomware that uses this encryption method. Most ransomware uses a combination of AES and RSA encryption to encrypt the files of victims. Here, the server generates a key pair, RSA public and private, for RSA. The private key remains on the server, while the public key is sent to the ransomware. In OphionLocker is the public key already in the malware. As a result, can also on computers which are not encrypted are files connected to the Internet.

The malware after encryption displays a message indicating the amount of 1 bitcoin is asked, what with the current exchange rate is 290 euros. Victims, however, do not have to pay to get their files, reports the forum Bleeping Computer . The ransomware shows the original of the files not erase the encrypted safe and also allows the volume shadow copies alone. As a result, it is possible to access the files through a program as ShadowExplorer to recover.

No comments:

Post a Comment