A new HiddenTear crypto-virus variant, named Korean ransomware, was discovered in the wild. Its ransom note is written in Korean, thus it is believed to be mainly targeting Korea, but it is not excluded for other users across the globe to become its victims. The Korean ransomware will encrypt your files and add the .암호화됨 extension to them. Read the article to the end to see how you can remove the ransomware and possibly decrypt your files.
|Short Description||The ransomware encrypts all your important files and displays a ransom message, giving out details about the ransom payment.|
|Symptoms||The ransomware will encrypt files with the .암호화됨 extension and append them to every file.|
|Distribution Method||Spam Emails, File Sharing Networks|
|Detection Tool|| See If Your System Has Been Affected by Korean Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Korean Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Korean Ransomware – Infection Spread
Korean ransomware could be utilizing targeted attacks for the infection of computers, and victims are probably mainly of Korean origin. Other methods for spreading the infection could exist, as well. It might also be spread in other ways, and it depends on what the cyber crooks do about it. There could be spam emails, which deliver letters with malicious attachments; some software or a website which is not updated having an exploit kit using that vulnerability as an entry point, etc. Even Social media networks or services for file-sharing could be used. Be extremely careful with your online actions and refrain from interacting with dubious emails, links, websites or files.
Korean Ransomware – Technical Details
Korean ransomware is based on the HiddenTear project. It is called that because its ransom note is in the Korean language and targets mainly users who speak that language. This does not exclude the possibility for other people to become victims of this crypto-virus. The malware researcher, Michael Gillespie discovered the ransomware a little over a day ago.
The ransomware might make the following entry in the Windows Registry:
If that entry is indeed made, the ransomware will maintain persistence and launch with each start of the Windows Operating System.
After the Korean ransomware encrypts a user’s files it will create the file ReadMe.txt which is a ransom message, written in Korean. You can preview it here:
The text inside it reads:
당신 의 파일 이 암호화 되었습니다. zMUTnnIOp / Ns & 3G [Password]
A rough English translation of that ransom message will look somewhat like this:
Your files have been encrypted. zMUTnnIOp / Ns & 3G [Password]
But that is not all – there is another file, which is the actual ransom note with instructions for paying the ransom. The file is a picture and is put on your desktop, so you see it. Here it is:
The text there is again in Korean and translates into English as the following:
Your files have been encrypted.
Download and install https://www.torproject.org/projects/torbrowser.html.en
and enter your ID-code.
[Website and code given] Follow the instructions on the site.
From the tweet of Michael Gillespie mentioned earlier, we find out that the website used for a decryption service is in actuality that of CrypMIC ransomware. You can see a picture of the website down here:
The website has not stopped being active for more than two months, and the cyber criminals have probably amassed lots of money from their victims. The owners of the Korean ransomware could be affiliates or partners of the ones who created CrypMIC or virtually be the same people.
That is not important, because whatever the case is, you should not pay them. No guarantee is there that you will get your files decrypted, nor that the crooks will answer you. In the case that the owners of the two ransomware viruses are different, it might create a mess and a discrepancy between the encryption and decryption processes.
→.png, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .psd, .svg, .bak, .db, .txt, .rar, .zip, .jpeg, .jpg, .pdf, .sql
The above list is with file extensions which are still what people use on a daily basis for saving their important data, so it is probably those files that will 100% get encrypted. Files will get encrypted with the .암호화됨 extension, and in English that extension would translate exactly to “encrypted”. The Korean ransomware will lock the files using an AES 256-bit algorithm, as many other HiddenTear variants do.
Korean ransomware is not known if it deletes the Shadow Volume Copies from the Windows Operating System, but it is very likely to do that.
Remove Korean Ransomware and Restore .암호화됨 Encrypted Files
If your computer system got infected with the Korean ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions manual provided down below.