Cyber Security

New TEREN Ransomware Corrupts Data to Extort BitCoin

A new threat of the infamous Dharma ransomware family was observed in the wild. Dubbed TEREN, the new ransomware is named after the extension it uses for all encrypted files.

TEREN is a typical representative of the Dharma ransomware family. It uses an advanced cipher to lock user-generated files and prevent the owner from accessing their information. 

TEREN Ransomware: How it Works

TEREN is a typical representative of the Dharma ransomware family. It uses an advanced cipher to lock user-generated files and prevent the owner from accessing their information.

Upon successful infiltration, TEREN launches a scan that detects files such as databases, pictures, music, archive, and spreadsheets. The ransomware will then use a string encryption algorithm to lock the files and prevent the user from accessing them.

All files encrypted by the ransomware are easily recognizable as the threat will rename the files following a simple scheme. While it will keep the original filename and extension, the ransomware will also append a unique alphanumeric string representing the victim's ID, followed by the criminals' email address and the ".TEREN" extension at the end of every encrypted file.

For example, a file named "pictures.rar" will get renamed to "pictures.rar.C342DF324.[databack44@tuta.io].TEREN."

Ransom Demands

TEREN is designed to drop two ransom notes: one in the form of a simple text file, named "FILES ENCRYPTED.txt" that gets dropped in every folder containing encrypted files, and one – a pop-up window that is displayed after the encryption process is completed.

TEREN's operators promise decryption in exchange for ransom in Bitcoin. While a specific ransom is not mentioned, the price will depend on how quickly the victim initiates a communication with the attackers.

Text file ransom message:

'all your data has been locked us

You want to return?

Write email databack44@tuta.io or decrypt24@gytmail.com.'

Full Ransom Note Text:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the email databack44@tuta.io

Write this ID in the title of your message -

In case of no answer in 24 hours write us to theese e-mails:decrypt24@gytmail.com

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

hxxps://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:

hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third-party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

Victims are instructed to contact the criminals via databack44@tuta.io or decrypt24@gytmail.com email addresses. Their messages are supposed to contain the victims' ID, which is mentioned in the ransom note.

Criminals offer free decryption of one file as proof that decryption is possible. Of course, this offer has conditions. Victims can send only small files (up to 1MB) that don't contain valuable information, such as databases, spreadsheets, etc.

How Does TEREN Ransomware Spread?

TEREN ransomware relies on classic distribution techniques, such as malspam campaigns, fake software updates, pirated programs, and software activators. Trojan attacks could also deliver the ransomware as second stage malware.

Experts warn that most cyber infections are preventable. Criminals use various popular events and social engineering to trick the unprepared users into traps. However, their attempts fall flat if the user applies the best security practices.

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Loading...
Back to top button