Ransomware is a plague of computer systems. In short, it encrypts files on your computer, so you can no longer access them, and ransomware typically wants payment, usually in cryptocurrency, to decrypt your files. In a lot of cases, you have also limited time to do so – otherwise you lose all your data forever. Some ransomware attacks can also infect devices on your LAN. Targets are not just home computers, it can target critical targets, like in case of hospital in Nitra, here in Slovakia, which was infected by WannaCry.
Ransomware attacks are still more and more sophisticated. In year 2016, a ransomware called “Dharma” appeared. Thanks to many changes and updates, is still keeps its powerful, destructive power. Its newest variant found by Trend Micro abuses name of Slovak security company Eset and its security product Eset AV remover.
This malicious code is spread by e-mail. E-mails look like from Microsoft, where attacker says that victim’s computer is in danger of corrupting files or even whole operating system. To stay safe, as attacker says, you have to download security tool to verify your antivirus software. Self-extracting archive is protected by password “www.microsoft.com”, which is mentioned in e-mail.
After downloading that security tool, an user interface of Eset AV remover is shown. It’s original, unmodified official tool from Eset. But alongside Eset’s tool, a secondary file with ransomware code is executed. In real life, user is trying to install this tool, but in background, ransomware is encrypting victim’s files. A filename extension *.ETH is added to affected files.
At the end, a classic “ransomware window” is shown. It informs victim, that files are encrypted and you have to pay to decrypt them, with instructions how to contact attackers and how to get bitcoins.
As for Eset AV remover, it does not matter if this tool is launched or succesfully installed, it’s just a trick to mask ransomware activity. Encrypting process is independent of this tool installation status.
Eset AV remover is a tool to quickly and easily uninstal antivirus software from computer. In this case, “Dharma” and Eset’s tool are executed at the same time. Instalator of AV remover waits for user’s interaction, but “Dharma” is already encrypting files, so there is no way to first uninstal security software and after then to start encrypting your files.
Source: Trend Micro