Homer Ransomware: A Dharma Variant Created for Easy Profit

A “new” piece of ransomware that encrypts the personal data on its victims’ computers in an effort to turn an easy profit has been spotted in the wild. The malicious file-locker is called Homer and it is a pure copy of the well-known Dharma ransomware. 

Just like most Dharma family members, Homer ransomware demands a ransom in Bitcoin after restricting users’ access to their files. Victims may lose their data for good if the payment is not made in a timely manner. 

How is Homer Ransomware Distributed

Phishing campaigns are the most common distribution method for Homer ransomware. These campaigns include spam emails that contain either a malicious link or a bogus attached file. Users should be very careful when opening such emails as many hackers use them as an infection method for spreading ransomware. 

Other methods of distributing malware involve untrustworthy download sources, fake software updates, unofficial software activation tools, and Trojans. 

• Untrustworthy download sources - hackers distribute ransomware by hosting malicious files in various questionable sources for download such as Peer-to-Peer networks, unofficial websites, free file hosting,  freeware websites, third party downloaders, etc.). The malicious files are disguised as legitimate and when executed, they infect systems with malware. 
• Fake software updates – they infect systems either by exploiting flaws of outdated programs installed on a targeted machine or by installing malicious software instead of legitimate updates. Untrustworthy sources for software download could be Peer-to-peer networks, freeware download, third party downloaders, free file hosting web pages, etc. Hackers use them as tools to host malicious files and disguise these files as legitimate. When downloaded and opened, they infect victims' computers with malicious software. 
• Unofficial software activation tools - some people use unofficial programs to bypass paid activation of licensed software. Unfortunately, these tools are dangerous as hackers often use them for distributing malware. 
• Trojans - cyber-criminals are well aware that if installed onto a system, Trojans can cause severe chain infections. For that reason, hackers often use programs of this type for installing malware.

How Does Homer Ransomware Operate

When installed on the targeted machine, Homer ransomware will scan it for photos, videos, and important documents in .doc, .docx, .xls, and .pdf format. Once detected, the ransomware will encrypt these files and change their extensions to “.[homersimpson777@mail.fr].homer" so that users are no longer able to access them. For instance, a file named "1.jpg" would appear as "1.jpg.id-1E857D00.[homersimpson777@mail.fr].homer" following the encryption. 

A ransom-demanding message appears in a pop-up window when the encryption process is complete. The note is also found in a file called "FILES ENCRYPTED.txt" that is created on the desktop.  

The 'FILES ENCRYPTED.txt' file contains a ransom message by the creators of Homer ransomware. The attackers do not specify a ransom fee amount, so it will only be disclosed when the victim contacts the malware authors. They can be contacted via the email addresses included in the ransom note:  ‘homersimpson777@mail.fr' and ‘jack-green13@protnmail.com.' 

At this point, there are no tools to restore the encrypted data by Homer ransomware because the decryption key is only available from the malware authors. Nevertheless, security researchers DO NOT recommend paying the ransom as in many cases, cyber-criminals do not send any decryption key to victims even if the payment is successful. 

How to Remove Homer Ransomware

Unfortunately, in most cases of ransomware attacks, decryption is impossible without the search for expert advice or installing a legitimate anti-malware software. 

If you find out that your computer is infected with Homer ransomware, you should  contact the following government fraud and scam sites to report the attack:

• In the United States, go to the On Guard Online website.
• In Australia, go to the SCAMwatch website.
• In Canada, go to the Canadian Anti-Fraud Centre.
• In France, go to the Agence nationale de la sécurité des systèmes d’information
• In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
• In the United Kingdom, go to the Action Fraud website.
• In Ireland, go to the An Garda Síochána website.
• In New Zealand, go to the Consumer Affairs Scams website. 

To avoid critical data loss, security researchers recommend users always keep backups in remote servers and/or unplugged storage devices. Otherwise, your personal data might be lost for good.