RansomWarrior is an Indian-based ransomware that was discovered in early August and is targeting Windows users. The ransomware is delivered via an executable called, “A Big Present.exe” and will encrypt files with a “.THBEC” extension if it is run. Once infected by the ransomware, a popup is displayed informing the victim that they have been infected. The ransom note includes a set of instructions to visit a darknet site to pay the ransom along with the statement, “Have a good day with the love from India.” The attackers claim that they will decrypt two files for free, but also inform the victim that if they don’t pay, they will not get their files back. RansomWarrior is not a sophisticated ransomware. In fact, researchers were able to successfully retrieve decryption keys due to the weak encryption. According to researchers, “The encryption used by the Ransomware is a stream cipher using a key randomly chosen from a list of 1000 hard-coded keys in RansomWarrior’s binary code.” The key’s index is also saved locally on the victim’s computer, giving researchers all the information they need to decrypt the files.
September 6, 2018