A new threat of the infamous Dharma ransomware family was observed in the wild. Dubbed TEREN, the new ransomware is named after the extension it uses for all encrypted files.
TEREN is a typical representative of the Dharma ransomware family. It uses an advanced cipher to lock user-generated files and prevent the owner from accessing their information.
Table of Contents
TEREN Ransomware: How it Works
TEREN is a typical representative of the Dharma ransomware family. It uses an advanced cipher to lock user-generated files and prevent the owner from accessing their information.
Upon successful infiltration, TEREN launches a scan that detects files such as databases, pictures, music, archive, and spreadsheets. The ransomware will then use a string encryption algorithm to lock the files and prevent the user from accessing them.
All files encrypted by the ransomware are easily recognizable as the threat will rename the files following a simple scheme. While it will keep the original filename and extension, the ransomware will also append a unique alphanumeric string representing the victim's ID, followed by the criminals' email address and the ".TEREN" extension at the end of every encrypted file.
For example, a file named "pictures.rar" will get renamed to "pictures.rar.C342DF324.[databack44@tuta.io].TEREN."
Ransom Demands
TEREN is designed to drop two ransom notes: one in the form of a simple text file, named "FILES ENCRYPTED.txt" that gets dropped in every folder containing encrypted files, and one – a pop-up window that is displayed after the encryption process is completed.
TEREN's operators promise decryption in exchange for ransom in Bitcoin. While a specific ransom is not mentioned, the price will depend on how quickly the victim initiates a communication with the attackers.
Text file ransom message:
'all your data has been locked us
You want to return?
Write email databack44@tuta.io or decrypt24@gytmail.com.'
Full Ransom Note Text:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the email databack44@tuta.io
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:decrypt24@gytmail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third-party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
Victims are instructed to contact the criminals via databack44@tuta.io or decrypt24@gytmail.com email addresses. Their messages are supposed to contain the victims' ID, which is mentioned in the ransom note.
Criminals offer free decryption of one file as proof that decryption is possible. Of course, this offer has conditions. Victims can send only small files (up to 1MB) that don't contain valuable information, such as databases, spreadsheets, etc.
How Does TEREN Ransomware Spread?
TEREN ransomware relies on classic distribution techniques, such as malspam campaigns, fake software updates, pirated programs, and software activators. Trojan attacks could also deliver the ransomware as second stage malware.
Experts warn that most cyber infections are preventable. Criminals use various popular events and social engineering to trick the unprepared users into traps. However, their attempts fall flat if the user applies the best security practices.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.