The Harasom trojan-ransomware family encrypt files and blocks the desktop with a screen-locker. Notification purporting to come from a government body or security-related organization informs the user of some fake-legal transgression with a payment demand in return for unlocking/decryption. It first started to appear in the first half of 2013. This was an extremely busy time for malware developers in what could be seen as the beginning or commercial ransomware. The ransomware below are two Harasom family variants:
This ransomware (sometimes known as xblblock ransomware) steals its name from The Spamhaus Project which is a research organization specializing in fighting cyber-crime, based in Switzerland. After entering by one of the usual malware routes (quickly installed freeware bundles; exploitation of a system vulnerability; infected spam ‘mail or through file-sharing), the ransomware encrypts files and embeds them in a HTML format. Then it locks the screen, with a notice supposedly from the Spamhaus Project starting: ‘You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, trojans, worms).
You are breaking numerous International and USA laws…’. It also cites several other offences including the viewing of illegal pornography and licensed media material, and counter terrorism and all kinds of preposterous garbage, using poor language and diction. Spamhaus ransomware gives the victim 48 hours to pay $300, or ‘the local authorities and secret service will be contacted,’. Opening an encrypted HTML file will take the user to http://xblblock.com where instructions are found about how to pay by MoneyPak voucher.
Although there is a decryptor for this malware (created by Emsisoft), it is advised to remove Spamhaus as soon as possible because its presence represents a vulnerability to the infected system. Because of the screen-lock, to get rid of Spamhaus ransomware, it is necessary to re-boot in Safe Mode with Networking (see below). Once you have eradicated Spamhaus ransomware, use the decryption tool to reclaim files. It may be possible to replace files using Previous Versions by renaming the encrypted files with their original name, right-clicking on it and selecting Properties, then Previous Version option. If there is a useable replacement there, this may be a quicker option than decryption.
“Everything on your computer has been fully encrypted” Ransomware
The Everything on your computer has been fully encrypted ransomware is very similar in design to the last example, with generic coding and behavior. It differs in graphic interface and ransom demand (varying from $100 – 300). This one alleges to come from no less than the U.S Department of Justice, and again cites that the computer has been used for one of various infringements (pornography, unlicensed use, &c); it states: ‘In connection with the decision of the Government as of January 26, 2013, all of the violations described above could be considered criminal. If the fine has not been paid, you will become the subject of criminal prosecution. The fine is applicable only in the case of a primary violation. In the case of second violation you will appear before the Supreme Court of the USA’. This kind of threat can be seen as a precursor of the social engineering being increasingly employed in cybercrime.
As with Spamhouse ransomware, the user should delete Everything on your computer has been fully encrypted ransomware as soon as possible. The steps for this are the same, as are the decryption/file replacement options.
How to decrypt Harasom encrypted files?
Please, follow the steps below to successfully decrypt Harasom ransomware encrypted files:
Step 1: Download the free Harasom decrypter here: http://tmp.emsisoft.com/fw/decrypt_harasom.exe
Step 2: Run decrypt_harasom.exe. If Windows displays a message about the program’s security, please select “Run anyway”.
Step 3: Click “Add folder” to select a folder, containing encrypted files.
Step 4: Click “Decrypt” button to start the decryption process. Please, wait as long as it needs (it can take hours, even days).
The Harasom variants are not as virulent as the trojan-ransomware that has followed (with strong file-encryption, evasion, backup deletion &c). The employment of the inept social engineering is interesting here as it now plays a growing role in malware’s struggle against security technology – human psychology is the weakest link in the security chain. In 2014, there were several releases of ransomware that employs the Urausy trojan (Jandarna Genel Komutanligi ransomware, from this family). The methodology is very similar to Harasom, though the user interface was greatly enhanced and grammar and the language’s veracity was greatly improved. Though it is more of an inconvenience that a problem to deal with Harasom ransomware, it should be remembered that if this can infect a system, then there is a vulnerability open that could allow something really nasty to enter the same way.
Preventing Harasom ransomware
Practices, Policies and Programs are three areas users can concentrate efforts to prevent malware entering a system. Practices include the hardening of passwords (link please) and their security; safe download/install with scrutiny using Custom/Advanced rather than the quick instal option; deletion of or safe practice regarding unsolicited e-mails [how to read e-mails without opening] ; safe browsing regarding dubious ‘sites, or ‘sites that may have been compromised.
Policies strictly mean the Administrator settings that allow permission for functions within a system or network. By changing the Software Restriction Policies that allow an executable to run on certain paths it’s possible to disable a great deal of malware, should it get past security scanning (refer to the Microsoft ‘site for details of how to do this with different OS).
Programs: keep all software up-to-date and patch the OS. Delete any little-used programs. A good firewall should be installed and set to disallow communication with the I2P and TOR networks, and any unauthorized port use. While thinking about settings, to defend against malware in e-mail it is a good idea to disable ActiveX for each M/S Office format and learn more about malicious macros (link please). Browsers should be kept current and hardened. Scan regularly with good software that uses both signature-based and heuristic detection methods.