Korean Ransomware

Posted by Lisa Blanc on August 19, 2016

What is Korean Ransomware?

Malware researchers at Anti-spyware-101.com have tested a new ransomware called Korean Ransomware and say that you have to remove it before it becomes fully operational. At the time of this article, it did not encrypt any files, probably because it was still in development. Nevertheless, there are many things to discuss this ransomware. Once this ransomware is fully operational and if it infects your computer, then it will encrypt some of your files and demand that you pay a ransom for the decryption key. In short, the people behind it want to extort money from you, and there is no way of telling whether they will send you the promised decryption key.testtesttest

Where does Korean Ransomware come from?

From the outset, it is evident that this ransomware was created in South Korea and intended to be distributed in it as well. Apart from its ransom payment website that is in English, everything else related to this ransomware is in Korean. This includes the ransom note, the ReadMe.txt file, and the appended extension. Unfortunately, there is no information about how this ransomware is currently being disseminated, but the usual suspects are, as always, email spam, exploit kits, and Trojans.

Our malware analysts say that Korean Ransomware is similar to the likes of Microsoft Decryptor Ransomware and CrypMIC Ransomware because all of them use a similar web-based decryption service to enter the decryption key. They have also found that this new ransomware is based on the open-source Hidden-Tear project, a ransomware project that has resulted in the creation of close to 30 ransomware-type malware. Thankfully, the Hidden-Tear project has finally been discontinued, but that does not mean that there will not be any more new infections based on it.

What does Korean Ransomware do?

It uses Advanced Encryption Standard (AES) which is a symmetric encryption algorithm. In this particular case, it is the AES-256, the number 256 the key size in bits. AES-256 is the most commonly used encryption algorithm, yet it is robust enough to keep the files encrypted indefinitely. Security experts have to find a vulnerability in a ransomware's design that can help break the encryption, although this is seldom the case. Still, the encryption of some ransomware can be broken, and we think that sooner or later, a vulnerability in Korean Ransomware’s design will be found.

Research has revealed that it is configured to encrypt jpg, .png, .csv, .sql, .mdb, .hwp, .pdf, .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt .php, .asp, .aspx, .html, .xml, and .psd file formats. Now, the list may look short, but it is sufficient to compel the victims to pay the ransom because Korean Ransomware targets file times that are likely to contain personal information. While encrypting the files, it appends them with the .암호화됨 extension. The writing in Korean means “encrypted.” Once the encryption is complete, it will change the desktop wallpaper to an image that functions as the ransom note. The note provides you with the instructions and links on how to get the TOR browser and the URL where you have to enter the provided User ID code. The website is similar to that of CrypMIC Ransomware, so that is how we know that the two are related. In any case, this ransomware will also drop a file named ReadMe.txt that contains the text “당신의 파일이 암호화 되었습니다.G2BGZjucG=SCUfL” Note that the code at the end is subject to change. Its main executable file should be named either KakaoTalk.exe or Korean-HT.exe, and the infection should create a registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run this executable on system startup.

How do I remove Korean Ransomware?

At present, we do not know how much money the cyber criminals want you to pay for the decryption key, but regardless of the sum, you should refrain from paying it because you might not get the key. We advocate for the safe removal of Korean Ransomware and have composed an easy to follow guide on how to delete its files. However, if you experience issues, then we suggest using SpyHunter as it is fully capable of eradicating Korean Ransomware.

Manual removal

  1. Delete KakaoTalk.exe/Korean-HT.exe from where it as launched.
  2. Empty the Recycle Bin.
  3. Press Windows+R keys.
  4. Enter regedit in the box and click OK.
  5. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  6. Find the registry string with the Value data of KakaoTalk.exe/Korean-HT.exe.
  7. Right-click it and click Delete.
100% FREE spyware scan and
tested removal of Korean Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *