TmrCrypt0r Ransomware Will Lock Your Files

During our analysis of newly discovered malicious files, we came across a program called TmrCrypt0r, which is associated with the Xorist ransomware family.

When tested on our system, this ransomware encrypted various files and modified their filenames by adding the ".TMRCRYPT0R" extension. For instance, a file originally named "1.jpg" would appear as "1.jpg.TMRCRYPT0R", while "2.png" would become "2.png.TMRCRYPT0R," and so on. In addition to file encryption, TmrCrypt0r presented ransom notes both in a pop-up window and a text file.

The ransom notes conveyed a demand for payment, informing the victims that their data had been encrypted. The attackers provided a three-day deadline for paying a ransom in order to regain access to the locked files. The specified amount was listed as $150, likely denominated in US dollars, with payment expected in Russian rubles through the Yoomoney wallet. However, it is important to note that although the ransom notes mentioned the wallet's address, it was not actually included. Moreover, these messages did not provide any contact information through which the victims could communicate with the attackers.

How Can Ransomware Like TmrCrypt0r Infect Your Home Computer?

Ransomware like TmrCrypt0r can infect your home computer through various methods. Here are some common ways:

• Malicious Email Attachments: Cybercriminals often distribute ransomware by sending phishing emails that appear legitimate. These emails may contain infected attachments, such as documents or ZIP files, which, when opened, trigger the ransomware installation process.
• Malicious Links: Cybercriminals may also distribute ransomware through malicious links embedded in emails, social media messages, or websites. Clicking on such links can lead to the download and execution of ransomware on your computer.
• Exploit Kits: Ransomware can exploit vulnerabilities in software or operating systems. Visiting compromised websites or clicking on malicious ads can redirect you to exploit kits, which automatically scan your computer for vulnerabilities and deliver ransomware if found.
• Drive-by Downloads: Ransomware can be silently downloaded onto your computer when you visit compromised websites or click on malicious advertisements without your knowledge or consent. These drive-by downloads exploit vulnerabilities in your browser or its plugins.
• Fake Software Installers and Updates: Cybercriminals may create fake software installers or updates that mimic legitimate applications or system updates. When you download and run these malicious files, ransomware can be installed on your computer.
• Peer-to-Peer File Sharing: Downloading files from untrusted sources, such as peer-to-peer (P2P) networks or torrents, increases the risk of downloading infected files embedded with ransomware.