A brand new type of the 7ev3n Ransomware has been recently discovered by the security researcher Mosh. The new variant of the ransomware has rebranded itself as 7ev3n-HONE$T and it will encrypt your data first and ransom your files for approximately $400 USD in bitcoins after that.
Currently, no one knows how it is being distributed or what encryption type 7ev3n-HONE$T uses. However, the main problem with this ransomware is that there is no way to decrypt the files for free at this time.
After 7ev3n-HONE$T encrypts your data, it will rename your files to sequential numbers using the .R5A extension. For instance, a folder’s files would be renamed to 1.R5A, 2.R5A, 3.R5A, etc. After that, 7ev3n-HONE$T will add the name of the encrypted file to the C:\Users\Public\files file.
Once the ransomware has finished encrypting your data, it will connect to the Command & Control server and upload a variety of information and statistics. The information sent is your assigned bitcoin address, the total amount of files encrypted, the amount of each type of file extensions, and your unique ID.
The security researcher Mosh stated that the Command & Control server is located at the IP address 188.8.131.52 (Turkey Istanbul Radore Veri Merkezi Hizmetleri As / AS197328).
After it’s completed, the following files will be located in the C:\Users\Public folder:
- C:\Users\Public\conlhost.exe – The ransomware executable
- C:\Users\Public\files – The list of encrypted files
- C:\Users\Public\FILES_BACK.txt – An alternative method to contact the ransomware developer
- C:\Users\Public\testdecrypt – A list of files that can be decrypted for free
- C:\Users\Public\time.e – The timestamp of when the ransomware encrypted your files
In this case, the ransomware lock screen is broken up into four different windows.
The first window is the main lock screen and it displays the ransom note and bitcoin address that payment should be sent to. The second screen lets you perform a test decryption on three to five files. The third screen shows a list of the encrypted files, and the fourth screen provides information on how to pay the ransom.
Currently, the greatest issue with 7ev3n-HONE$T Ransomware is the fact that there is no way to decrypt the encrypted files for free yet.