Ransom message is similar to police scareware

A patching utility against crypto-malware Operation Global III (OG3) has been created, to prevent users from paying the ransom and free their files in a simple and efficient manner.

The tool, developed by malware researcher Nathan Scott, takes advantage of the fact that the authors of the threat did not do too good of a job and actually left the decryption keys within easy reach.

In a video published on YouTube (available below), Scott says that after the file encryption finishes, a lock screen showing the ransomware message is enabled.

OG3 is not the work of professionals

The text is a combination of police scareware and crypto-malware because the communication claims to be from law enforcement as a result of copyright infringement. The victim is informed that the penalties for the alleged offense are five years in a federal prison and a $250,000 / €202,000 fine.

However, since no previous misconduct has been recorded, a $250 / €202 fine, payable in bitcoin digital currency, would settle the matter. The victim is also informed that all the files available on the storage unit have been encrypted.

An analysis of the affected data showed the researcher that the decryption keys were present inside each encrypted file. From this to creating an automated tool that reversed the process was just a step.

The cybercriminals did their best to make sure that the affected user had no other choice but to pay the “fine” and locked the display to the ransom message; but they failed to do a proper job as the simple use of the Alt+Tab key combination allows switching to opened apps, giving the opportunity to download the patch and launch it.

Glitches may occur during the decryption process

Items encrypted with OG3 are appended the EXE extension and trying to run them actually starts the malware. This way it can spread to other systems, especially since it also targets network shares.

The path tool requires only one click, and when the ransomware screen disappears, it means that the action of the malware has been reversed and clicking on any infected file automatically decrypts it.

All the flaws in OG3 indicate that inexperienced cybercriminals are behind the operation, even if the ransom payment is demanded in bitcoins.

Despite the existence of an antidote for the malware, there may be instances where the decryption process may not work as expected.

Scott drew attention to the fact that ZIP archives are not restored in their original location, but in the temporary folder, but other issues may also arise from cybercriminal’s faulty implementation of the decryption process.

Even if OG3 is a simple ransomware whose effects can be reversed, plenty of users can easily fall for the trap. The best protection against ransomware that can encrypt data is to maintain an updated backup file with all the important data in an area unconnected to the computer. If disaster strikes, the computer can be wiped and the information restored from the backup.

About The Author

Shopping Cart