The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) has warned users of an ongoing distribution campaign for Tyrant ransomware. First spotted by G Data security researcher Karsten Hahn, the strain is currently making its way to unsuspecting users via modified versions of the Psiphon VPN app. Upon successful infection, Tyrant demands victims pay the equivalent of $15 within 24 hours. Its Farsi-written ransom note directs affected users to complete payment via one of two local payment processors, exchanging.ir and webmoney724.ir. The threat also provides them with [email protected] and the Telegram username @Ttyperns as means of contacting the attackers. https://twitter.com/struppigel/status/919834205202378752 Tyrant doesn't always succeed in encrypting a victim's files, however. Iran CERTCC elaborates on this observation in an alert:
"Initial analysis suggests that this is the first version, or trial, of a larger attack because despite the encryption operation, sometimes the [ransomware] does not succeed in encrypting victim files, and moreover, despite the fact that there are many changes in the victim's system registry, it is not able to maintain its functionality after rebooting the system."
It therefore comes as no surprise that Tyrant is actually a member of DUMB, a family of ransomware based on proof-of-concept code published on GitHub and later forked by others. First spotted by Bleeping Computer founder Lawrence Abrams in January 2017, DUMB's early variants used simplistic XOR encryption and saved the encryption key in their encrypted file. This made decryption easy, reports Bleeping Computer's Catalin Cimpanu. So easy, in fact, that one variant self-decrypted as soon as a victim closed out the ransom note. Security researcher MalwareHunterTeam is investigating whether users can decrypt the ransomware the same way as other DUMB variants at the time of this writing. To protect themselves against threats like Tyrant, users should download VPN applications and similar programs directly from either the developers' websites or their profiles on official app marketplaces. They should also work to prevent a ransomware infection by keeping their computers up-to-date and installing an anti-virus solution onto their machines. Lastly, they should back up their data just in case they suffer a ransomware attack.
