Yet another Dharma ransomware variant has been detected in the wild. A new ransomware threat, dubbed Eur, was found to encrypt files and extort cryptocurrency from victims.
Table of Contents
What is Eur Ransomware?
Eur is a standard ransomware threat that follows a classic pattern. It infects its host and scans it for files that could be valuable to the users. It looks for pictures, databases, spreadsheets, text documents, archives, and more.
Once the target data is detected, Eur will use AES encryption to lock these files and prevent the user from accessing them.
Eur marks the encrypted files by adding the ".eur" extension to their names. Additionally, it also appends a unique ID and the criminals' email addresses. For example, a file named "pictures.zip" will be renamed to "pictures.zip.id-tyu673123.eur."
Files that have the .eur extension have icons that are visible to the user. However, these files cannot be viewed, opened, or edited.
Once the encryption process is completed, Eur will create a text file named "FILES ENCRYPTED.txt," as well as will open a pop-up window. These two objects display a simple message to the victim.
Eur's ransom note is very straightforward and to the point. It informs the victim that their files are locked and offers them decryption services for a fee. The message doesn't mention a specific ransom but instructs the victim to contact the criminals via email.
Ransom note text:
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email email@example.com YOUR ID -
If you have not been answered via the link within 12 hours, write to us by e-mail:firstname.lastname@example.org
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Victims are given only 12 hours to contact the ransomware operators via either of the email@example.com or firstname.lastname@example.org email addresses.
The message doesn't specify what will happen if the victim fails to meet the tight deadline, however. It does list several warnings, but nothing specific.
Victims are advised not to rename their files and to refrain from using third-party decryption tools as these actions could lead to permanent data loss.
As Eur is a newly-found thereat, there is no third-party decryption tool available for it yet. However, victims are recommended not to pay the ransom as such actions do not guarantee results. Hackers are known to double-cross their victims.
Furthermore, ransomware victims should bear in mind that by paying the ransom, they encourage the criminals to continue their malicious business.
Victims can use file backups stored on cloud or external devices to recover their data. However, the ransomware must be completely removed before any such operation is attempted. Otherwise, Eur will corrupt the newly restored files.
How Does Eur Reach Its Victims?
Ransomware threats are usually spread via mass-distribution tricks that expose various potential victims to the infection. Malspam campaigns, corrupted links and ads, and fake software updates are the most common cause of ransomware infections.
Trojans could also deliver ransomware as second-stage malware in a cyber attack. Whether it is a threat developed to download and install malware or a remote access trojan that allows its operators to run commands on the infected device, trojans are highly dangerous. Therefore, all trojan infections must be taken seriously and dealt with promptly.