Test subject – Arena ransomware, a variant of Crysis / Dharma
The .Arena ransomware marks a comeback for the Crysis/Dharma ransomware family. According to Michael Gillespie, the distribution method is not yet known, but most probably follows the pattern of the Crysis family, which used to be installed manually after successfully compromising the Remote Desktop Protocol. Once executed the ransomware appends the “Arena” extension at the end of the file names, after adding other information like an id and an email address. It compromises the shadow copies by running a command for the Volume Shadow Copy Service, so the information cannot be retrieved by running disk level file recovery tools. Currently, there are no decryption tools available for this variant.
Crysis/Dharma “Arena” ransomware test facts
The ransomware immediately attacks local files as well as accessible mapped and unmapped network drives. In our test, the malware managed to encrypt several tens of files within seconds. It also creates copies of itself in the System32 folder and registers those copies to be executed at next reboot. This ensures that the ransomware can run again and attack new files.
Crysis/Dharma “Arena” ransomware test results
TEMASOFT Ranstop detects this Crysis variant soon after it starts encrypting files. Upon detection, alerts are fired off, actions are executed as configured (i.e. isolate machine) and, at the same time, the malicious process is stopped and quarantined. All the encrypted files are automatically recovered to their original state, including the file name. Such an attack causes zero downtime to machines protected by TEMASOFT Ranstop.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.