Lina Ransomware Encrypts and Ransoms User Files

The ever-growing Dharma ransomware family has expanded with a new member. Lina ransomware is a new file-encryption program that locks data and coerces its victims into paying to retrieve their files.

Upon infiltration, Lina launches a scan that detects the files that could contain important information, such as spreadsheets, databases, documents, pictures, and archives. The threat will also execute several commands which will establish persistence on the device as well as delete the Volume Shadow Copies.

The core of Lina’s functions is its file-encryption capabilities. This ransomware is developed to use advanced cryptographic algorithms to lock the target files and prevent the user from accessing their content.

Ransom Demands

Victims can quickly notice that their data is encrypted because Lina renames the locked files by adding the “.lina” extension to them. Additionally, the ransomware will include the threat operator’s email address and the victim’s ID to the new file names. For example, a file named “user-manual.pdf” will be renamed to “user-manual.pdf.id-GHjyu823.[linajamser@aol.com].lina.”

Lina will create a text file called “FILES ENCRYPTED.txt” that informs the victim that their data is encrypted. Additionally, the ransomware will open a pop-up window that displays more information.

Ransom Note Text: 

Lina’s ransom note is quite standard for a threat of this class. The ransom-demanding message informs victims their data can be restored for a price. However, a specific ransom amount is not mentioned because the victims can negotiate for the price.

Victims are instructed to contact the criminals via either the linajamser@aol.com or spare322@protonmail.ch email addresses.

Victims are warned not to rename the encrypted files and to refrain from using third-party decryption tools because these actions could lead to data loss.

Decryption

Unfortunately, there is no official third-party decryption tool for Lina ransomware. However, victims should not pay the ransom as they are dealing with criminals who are likely to double-cross them.

Victims can use backups stored on external or cloud storage to recover their data. Of course, Lina must be removed before any file-recovery operation is attempted. Otherwise, the ransomware will not only re-encrypt the restored data, but could also infect the backup device and corrupt the data stored on it.

How Lina Ransomware Infects Its Victims

There is no evidence showing that Lina brute-forces its way into a system. This ransomware reaches its victims via more mundane travel channels. Such ransomware threats usually travel the web hidden in malicious messages, corrupted links, pirated software and fake updates. Trojans could also deliver Lina ransomware.

Malspam – The most common malware distribution channel is still through a malicious message. Whether it’s an email or instant message, any messaging platform can be exploited for malicious purposes. Criminals usually impersonate well-known and trusted companies and organizations to lure their victims into traps. Therefore, experts recommend all unexpected messages to be treated as potentially dangerous. 

Pirated software – Hackers are aware that many people are looking for a way to bypass paid software activation. The criminals upload “cracked” app installers that infect the device with various malware threats.

Trojans – Trojans are programmed to download and install malicious malware. They are also capable of remotely accessing a system and provide their operators with full control of the host device.