Ransomware removal analysts have discovered a variant of the HiddenTear Ransomware (Boris HT). HiddenTear was a ransomware that exploited the code of a cybersecurity educational tool. Ransomware removal analysts have also noted similarities between Boris HT and other ransomware like Donut and Magician Ransomware. Although, there has not been an ultimate consensus on the fact that these afore-mentioned ransomware are been operated by a single cybercriminal group.
Interestingly, it has been found out that the source code of HiddenTear is continuously modified on the Deep Web. Unfortunately, due to the nature of privacy and security on the Deep Web, it is difficult to monitor and track the actual perpetrators.
The cybercriminals behind the Boris HT Ransomware attempt to hide the virus as a safe instance of a Microsoft process file which goes by the name of ‘svhost.exe’. This file is used to host DLL services.
Distribution Tactics
Ransomware removal professionals have been analyzing its proliferation and distribution strategies and have come to the conclusion that one of its primary tactics is to spread via fake updates of software while it also infects Microsoft Office documents and files. Other vessels of this malicious ransomware include free cracks of games that are available on a wide range of websites and are often downloaded by gamers to save money. Also, it has been observed that the ransomware tinkers with the folder of AppData where it can compromise the database files.
The files and documents are encrypted through the cryptographic algorithm, Advanced Encryption Standard (AES). The affected files have an extension of ‘[email protected]].boris’. If users find any of their files with blank icons, it is a sign of the file’s encryption with Boris HT Ransomware. A ransom note file is added to the desktop that has an email address of [email protected] for further communication.
