AeR, a formidable member of the Dharma ransomware family, has surfaced as a significant threat in the cyber landscape. This article aims to dissect the workings of AeR ransomware, shedding light on its actions, consequences for victims, and providing comprehensive insights into detection names, similar threats, and proactive measures to prevent future infections.
Understanding AeR Ransomware
AeR, hailing from the Dharma ransomware lineage, operates as a crypto virus designed to encrypt files and coerce victims into paying ransoms for decryption. This malware was uncovered during routine analysis on VirusTotal submissions, revealing its potent capabilities.
Consequences of AeR Ransomware:
Upon infecting a system, AeR encrypts files, appending a unique victim ID, cybercriminals’ email address, and the “.AeR” extension to filenames. Victims witness a transformation of files like “1.jpg” to “1.jpg.id-9ECFA84E.[firstname.lastname@example.org].AeR.” The ransomware delivers a clear message through two distinct ransom notes – a desktop text file named “info.txt” and a pop-up window. Victims are coerced into contacting cybercriminals for decryption instructions, with a ransom payment in Bitcoin implied.
Detection Names and Similar Threats:
Detection names for AeR include Avast (Win32:RansomX-gen [Ransom]), Combo Cleaner (Trojan.Ransom.Crysis.E), ESET-NOD32 (A Variant Of Win32/Filecoder.Crysis.P), Kaspersky (Trojan-Ransom.Win32.Crusis.to), Microsoft (Ransom:Win32/Wadhrama!pz), among others. Similar threats within the Dharma ransomware family include Pings, Mango, Evil Ant, Cdtt, and SomeOrdinaryGamers Mutahar, each with unique characteristics despite their shared ransomware functionality.
AeR Ransomware Overview:
As part of the Dharma malware group, AeR encrypts both local and network-shared files, terminating processes associated with opened files to ensure comprehensive encryption. Dharma ransomware, including AeR, exhibits persistence mechanisms by copying malware to specific paths and registering it with Run keys, ensuring automatic execution upon system restarts. Additionally, the ransomware erases Volume Shadow Copies to eliminate recovery options.
Dharma ransomware, including AeR, often exploits vulnerabilities in RDP services, employing brute-force and dictionary attacks for infiltration. The malware’s distribution involves phishing tactics, social engineering, and disguising malicious files as regular programs, media, or attachments in spam emails.
Preventing AeR Infections
- Secure RDP: Strengthen Remote Desktop Protocol (RDP) security by using strong, unique passwords and enabling network-level authentication.
- Exercise Caution with Emails: Avoid opening attachments or clicking links in unsolicited or suspicious emails. Verify the sender’s authenticity.
- Download from Trusted Sources: Obtain software and files only from reputable sources, avoiding unofficial and free file-hosting sites or peer-to-peer networks.
- Regular Backups: Maintain up-to-date backups in multiple locations, ensuring data recovery options in case of an infection.
- Keep Software Updated: Regularly update operating systems and software to patch vulnerabilities and enhance security.
AeR ransomware exemplifies the evolving and pervasive nature of cyber threats. Understanding its tactics, implications, and adopting proactive measures are crucial steps in safeguarding against such malicious attacks. Victims are strongly advised against paying ransoms, as it does not guarantee file recovery and supports illegal activities. This article, coupled with awareness and cybersecurity hygiene, serves as a guide to fortify defenses against the menace of AeR ransomware and its counterparts.