Infected victims have only 24 hours to pay an amount of 520,000 IRR ($15) or else, all their data will be removed.
After being contacted or infected, the victim has only 24 hours to pay the equivalent of $15. The experts have assumed Tyrant ransomware specifically targets Iran, as the ransom note is in Farsi and uses two local payment processors (exchanging.ir and webmoney721.ir). The Tyrant ransom note also features two email addresses: firstname.lastname@example.org and Telegram username @Ttyperns.
The strain was first reported last on October 16 by Karsten Hahn, a G Data Security expert. After the report was made by Hahn, the alert was issued by The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC), warning about a campaign of ransomware distribution currently running in Iran. According to the team of experts at Iran CERTCC, the cybercriminals have disguised the Tyrant ransomware as a very popular VPN app called Psiphon.
It has transpired that the person behind this attack might not be aware of the Iran government-linked group of cyber-espionage individuals known as Rocket Kittens. In the summer of 2016, Rocket Kittens traced Telegram IDs to users’ phone number in the summer of 2016.
The first variants of ransomware used by DUMB were a very simplistic XOR encryption and stored the encryption key within the encrypted file itself. One of the reasons DUMB was considered a “joke” ransomware was because the first ransomware version had a fault that made it self-decrypt once the user closed the ransom note window.
The tyrant ransomware belongs to the DUMB family of ransomware, which is based on ransomware code published on GitHub, later forked by other programmers.
— BleepingComputer (@BleepinComputer) June 19, 2017
Bleeping Computer asked MalwareHunter about the recent Tyrant ransomware attack, to which they jokingly responded, “A joke ransomware, without any protection used in the live attack? Made my day”. In addition, security specialist MalwareHunter is currently performing investigations as to determine if the Tyrant ransomware is decrypt-able in the same manner as former DUMB versions. This is due to the fact that aside from translating the note to Farsi, the Tyrant ransomware seems to have gone through little to no modifications from its other DUMB-based versions.
Initial analysis performed by the Iran CERTCC they appear to have the same opinion as Malware hunter, and have further claimed that this is the first variant of Tyrant ransomware, because despite the encryption operation, most of the time the program does not succeed in encrypting victim’s files, and it is not functional after rebooting the system.
Experts have called to organizations around the globe to heed the alert that was first issued by Iran CERTCC, as Remote Desktop protocol connections with weak credentials have become the main target for cybercriminals to install ransomware and steal important data from individuals and enterprises.