Rakhni is a devastating computer ransomware program that targets crypt o graphic systems and encrypts the files present on these computers. It then demands ransom from the victims in order to decrypt the encrypted files. Rakhni ransomware was found in 2013 and since then it has been targeting new victims. Since then the malware has evolved various versions.
The unique characteristic of Rakhni ransomware is that, once infiltrated either via email phishing messages or infected payload document, it scans the system for Bitcoin or other crypt-o-currency software installation.One of the reasons cited behind this attempt is to encrypt user’s wallet private keys and prevent them from accessing their digital fund. Another reason behind targeting user systems owning Crypt-o-currency funds is that, Rakhni ransomware authors believe that it would be easier for users to pay ransom to obtain decryption key for the encrypted files.
The developers have coded Rakhni ransomware such that if it fails to find folders containing the string Bitcoin and if this coin-miner module reckons that the system is powerful enough to handle coin- mining operations, it will retrieve a crypto currency mining application from the remote server and install it on the victim’s system.
Other than Bitcoin other crypto currencies targeted by this ransomware include Monero, Monero Original- a secure, private and untraceable currency system, or Dash coin- a next –generation digital currency based on Bitcoin software.
The malware is known to have spread its roots in countries like India, Russia, Germany, Ukraine and Kazakhstan and is distributed mainly via spam email attachments. The targeted members primarily include corporate clients as the study reveals that malicious attachment is often disguised as a financial document.
The email attachment contains a PDF document which when clicked seeks permission to run an executable file from an unknown publisher. With user’s permission, Rakhni ransomware swings into action.
Other files that can be used to deploy the infection include:
An interesting characteristic about this infection is that, after the attachment is downloaded it throws an error message depicting that the download had failed. This is a trick used by the developers to divert user’s attention away from the malicious script.
Once infested, the ransomware disables Windows Defender. This impairs the first line of defense against malware, spyware infections and make the system susceptible to various system threats.It then installs forged digital certificates on the vulnerable system.
When the coast seems clear the ransomware decides between installing a crypto-currency miner in the victimized PC andif a miner is already installed, itencrypt files and demand ransom.
It then generates a malicious script that installs it as a persistent threat. This means when the system is booted, the component automatically starts the malice.
Finally, the malicious program tries to expand its territory bycopying the malicious codeto other systems in thelocal network. This is donewhen company employees share access to the Users folder on their devices.
To avoid inflicting damage on your system, be wary of incoming messages received from unfamiliar sources.
Browsers Affected: Google Chrome, Internet Explorer, Mozilla Firefox, Safari, Opera
Targeted Operating System: Windows and MAC
Symptoms: User’s files are encrypted. All locked files are appended with malicious extension after the encryption and hence cannot be accessed by the user. Unusual performance issues.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.