- The ransomware appears to have been developed by India-linked cybercriminals.
- RansomWarrior is written in .NET and is not obfuscated packed or protected in any way, suggesting that its creators may be novice malware developers.
A new strain of ransomware called the RansomWarrior was recently discovered by security researchers. Although it has been just weeks since the ransomware first appeared, security experts have already figured out how to decrypt and retrieve the files encrypted by Ransom Warrior.
The ransomware was first spotted by security researchers at Malwarebytes in early August. The ransomware has been targeting Windows users and is being delivered via an executable named “A Big Present.exe”.
According to security researchers at Check Point, who analyzed the ransomware, it appears to have been developed by India-liked cybercriminals. RansomWarrior is written in .NET and is not obfuscated packed or protected in any way, suggesting that its creators may be novice malware developers.
“In fact, the “encryption” used by the Ransomware is a stream cipher using a key randomly chosen from a list of 1000 hard-coded keys in RansomWarrior’s binary code,” Check Point researchers wrote in a blog. “As a result, the Check Point Research team has been able to extract those keys, and, as the key’s index is saved locally on the victim’s computer, provide the correct keys to the Ransomware itself in order to unlock the files.”
Although cybercriminals are now increasingly switching to delivering cryptocurrency miners, given their stealth and the ability to rake in profits, however, ransomware remains a persistent threat. Cybercriminals continue to develop new variants of ransomware, launching them in attacks or selling and/or renting them out in dark web forums.
The fact that ransomware has remained a prominent threat in the face of newly emerging trends indicates that it is here to stay and won’t likely fade away with time.
You can download the RansomWarrior decryption tool by clicking here.