The PoisonFang virus is a new ransomware that contains many advanced components that can cause widespread damage on the infected hosts. The security analysis shows that it bears no code from any of the other famous families. Our article shows how active infections can be removed and the data restored.
|Short Description||The ransomware encrypts sensitive information on your computer system and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by PoisonFang |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss PoisonFang.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
PoisonFang Virus – Distribution Ways
The PoisonFang virus is a newly released virus that probably originates from Israel. The ongoing hacker attacks use the most popular tactics in order to increase the number of infected users.
A main tactic is the use of email phishing messages — they utilize text, images and design elements taken from well-known companies or services. The associated virus files may be either attached directly or hyperlinked in the body contents. Along with the fake download sites that are created in a similar fashion the emails are the most widely used mechanisms for spreading infected payloads.
The first type is associated with infected documents in which the hackers embed code that launches the virus infection sequence. Once they are opened by the victims a notification message will be called which asks the users to enable the built-in macros (scripts). As soon as this is done the PoisonFang virus will be instituted on the host system.
The second type makes of hacker-modified installers which are made by taking the legitimate installer from the official download page of the vendor. The criminals usually target software that is popular with end users: creativity suites, system utilities or general purpose productivity apps.
The other mechanism that can be used to spread the files is the use of browser hijackers. They are hacker-made plugins for the most popular web browsers that are usually found on the associated repositories. They often utilize fake user reviews and developer credentials along with an elaborate description.
PoisonFang Virus – In-Depth Analysis
The PoisonFang virus is a newly released ransomware that appears to be made by its hacker or criminal collective. The initial security analysis does not showcase any code snippets from any of the famous ransomware families.
During the investigation the researchers were able to uncover that the engine was modular in nature allowing many components to be included in its default infection sequence. This gives hackers the ability to customize the attacks according to the targets.
The captured strains have been found to contain numerous mechanisms that infiltrate the system on a deep level. One of the first actions that are started involve the use of a data harvesting module. It is customized to extract strings that can reveal sensitive data both about the users and their machine. The collected information can be classified into two different data types:
- Private Information — Strings that are related to the victims and can expose their identity. This includes data such as their name, address, location, interests, passwords and etc.
- Campaign Metrics — This data type consists of information that can be used to optimize the hacker attacks. This can include anything from the installed hardware components to certain operating system values.
The collected information can then be used by another module that is responsible for bypassing the security countermeasures found on the infected host. The list includes signatures belonging to ant-virus software, virtual machine hosts and sandbox/debug environments.
Once the infections have been deployed onto the computers the virus process can hookup to any running programs and services, including those that have administrative privileges. To make things more difficult it can spawn numerous processes and launch commands in virtual memory. This makes it very difficult for system administrators to contain the infection.
Further system modifications include a wide range of malicious actions such as the following:
- Windows Services Modification —The PoisonFang virus has been found to be able to enable/disable certain services such as Windows Defender.
- System Checks — The virus has been found to perform several different types of security checks such as the presence of certain files, strings in configuration files and etc.
- Guarded Memory Regions Creation — The virus engine can run in protected memory which avoids memory dumping and further analysis.
- Settings Manipulation — The virus is capable of changing the Internet proxy settings which can redirect the traffic through a hacker-controlled server.
The virus also manipulates the boot options by disabling the boot recovery menu – this also makes manual user recovery very difficult. In addition the PoisonFang virus module is installed as a persistent threat which automatically starts it whenever the computer is booted.
Additionally the engine will delete the Shadow Volume Copies and System Restore files to make it more difficult to recover the victim data. In such cases the victims will need to resort to a professional data recovery program, refer to our instructions for more details.
The engine is capable of infecting other computers on the network by interacting with the Windows Mount Manager, the component that is responsible for network shares and removable devices connections.
PoisonFang Virus — Encryption
The ransomware engine is started once all prior components have finished executing. It uses a strong cipher in order to affect data, it is suspected that the virus utilizes a built-in list of target file types:
A lockscreen instance is then created which blocks all typical computer interactions until the threat is completely removed. It reads the following message:
THIS SOFTWARE IS FOR ACADEMIC RESEARCH PURPOSES ONLY!
Poisonfang was developed as part of a ransomware project at the Technion Israel Institute of Technology
At the moment we cannot confirm if this is true as it has been found to contain many components that are reminiscent of actual advanced ransomware.
Remove PoisonFang Ransomware Virus and Restore Encrypted Files
If your computer got infected with the PoisonFang ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.