Two recent variants Meds and Kvag ransomware come strong after changes in DJVU encryption process
Cybercriminals who develop Djvu ransomware, have recently made changes to the encryption processes of more recent versions, so STOP virus decrypter that was the best option for victims cannot work. It all started with .gero and .hese extensions, but the more recent versions Meds ransomware and Kvag ransomware appear to be the most dangerous out of the last ten variants that got released after changes.
The initial information about the ransomware family has not been changed, probably on purpose, so the focus can remain on encryption and coding changes. Developers started to use asymmetrical encryption method, and offline keys that helped victims to recover encoded files before are no longer existing. Researches needed to release final keys for the decryption tool and announce that STOP virus decrypter is no longer supported.
Unfortunately, researchers that released all those tools and later updates are not capable of helping victims. Offline keys and online keys cannot be used for decryption, in the meantime, so you need to rely on other methods. Unfortunately, there are not many of them. You can try to check for the available decryption tools here.
Ransomware on the rise again
Previously ransomware was not the most popular malware in the world of cybersecurity because cryptocurrency mining threats, financial Trojans, and other dangerous threats become more dangerous. Especially when decryption tools get released by researchers more often and ransomware can be terminated. When it comes to financial malware, cryptojacking threats, there are more significant amounts of money criminals can make from one victim. This is the reason why business ransomware was more popular than threats targeting individual PC users.
Some ransomware creators also retired, got arrested and otherwise managed, so new threats remain un the low for a while. However, DJVU ransomware came with a bang back in 2018. But researchers haven’t thought that spring 2019 going to be as big as it was. Starting with a few versions a month, developers released variant after variant and launched at least 160 during the summer, up till September. These recent versions see to be altered, and more dangerous versions can be expected in the future.
Ransomware spreading vectors differ from malware to malware
The most common techniques used by ransomware developers to deliver this notorious type malware still remain unprotected RDP and spam email attachments with infected files. Unfortunately, vectors change from time to time, and different attacks are based on various methods.
Targeted large-scale attacks of ransomware, in most cases, are based on breaking through the unprotected RDP and using other security flaws that can be used to get access to the needed network. When a target is an individual person, spam email attachments when the document is infected with macro viruses get employed.
However, these Djvu ransomware variants are known for spreading with the help of cracks delivered online. Video game cheat codes, serial numbers of software, cracked operating systems or programs are downloaded and, in most cases, from non-legitimate sources, torrent sites, p2p sharing services. If you choose to get NBA, Gta, CS or other game serial keys, license cracks and so on, be aware of possible infections. This activity is illegal, in the first place, remember that.
What can you do?
Since decryption tools are not available for the virus, you need to rely on third-party software for file recovery and remove the malware with professional anti-malware or pay for the service from the particular researcher that offers to restore your data.
If you are in a business environment, consider running scripts that can lock users from running applications without authorization. You should leave the opportunity to use programs that are needed on a daily basis, but block the access to open ransom programs and scripts. Also, lockdown Office suite, so random macros from unreliable sources cannot get triggered automatically. Take precautionary measures to protect the network.
