What is Strawhat ransomware? And how does it implement its attack?
Strawhat ransomware is a new file-encrypting threat created using the open source platform, Hidden Tear and is designed to encrypt its victims’ files. However, upon a series of thorough tests, it was found that this crypto-malware might still be in development as its original version locks files only in this directory, C:\test so you’ve got nothing to worry about if you don’t have this folder. And besides as of now it does not encrypt files located in other directories and does not even work on Windows 7. But that does not mean that you should put your guard down as it might be updated any time soon.
Strawhat ransomware was first observed on online antivirus platforms that are often used by cyber crooks to test whether their threats can evade the detection by antivirus programs. Although this ransomware hasn’t been publicly released yet, according to security experts, Strawhat started appearing in early September. However, it seems like this ransomware has been increasing its presence in the current threat ecosystem substantially which is why even though it can’t fully encrypt files yet, it still remains to be a threat as its developers might update this threat. As of now, Starwhat is targeting these file formats:
.wma, .flv, mkv, .mov, .avi, .mpeg, .mpg, .wmv, .mdb, .sql, .sqlite3, .pptm, .xltm, .xlsm, .xml, .dotm, .dot, .xlm, .dotx, .csv, .pem, .csr, .crt, .key, .mp4, .pptx.
In its current state, Strawhat ransomware only pretends to encrypt the files by renaming them and appends a random file extension on each one of them. After its supposed encryption process, it creates two files: YOUR_FILES_ARE_ENCRYPTED.txt and YOUR_FILES_ARE_ENCRYPTED.html and displays a ransom note which includes a pirate flag written using ASCII characters. It also changes the affected computer’s desktop wallpaper with a copy of the ransom note. Here’s the full context of its ransom note:
“YOU BECAME VICTIM OF the Strawhat Ransomware!
The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special decryption program.
Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
Contact us for payment instructions and after you paid we will send you the decryption tool that will decrypt all your files.
Personal identifier: [34 RANDOM CHARACTERS]
Contact email address: [EMAIL ACCOUNT]”
Regardless of the technical specifications it blurts out to make it sound alarming, you shouldn’t believe a thing in this ransom note as it is only a ploy to make you pay the ransom. And besides its ransom note does not even mention how many Bitcoins you should purchase. Luckily, this ransomware does not function on most system unless the system has the Visual Basic Power Packs. Strawhat ransomware functions through a malicious executable file named StrawHat PDF.exe which already foreshadows the content so make sure that you end its process in the Task Manager. It is detected as Generic.Ransom.Hiddentear.A.64B049AA, Trojan.Ransom.StrawHat, Ransom.HiddenTear, and Generic.Ransom.Hiddentear.A.64B049AA.
Here’s how you can obliterate Strawhat ransomware before it becomes a big pain in the head:
Step1. Open the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step2. Under the Task Manager, go to the Processes tab and look for StrawHat PDF.exe and any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to Strawhat ransomware.
Step3. After that, close the Task Manager.
Step4. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step5. Under the list of installed programs, look for StrawHat PDF.exe or Strawhat ransowmare or anything similar and then uninstall it.
Step6. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step7. Navigate to the following locations below and look for Strawhat ransomware’s malicious components such as StrawHat PDF.exe, YOUR_FILES_ARE_ENCRYPTED.txt and YOUR_FILES_ARE_ENCRYPTED.html as well as other suspicious files and then delete all of them.
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
Step11. Delete the registry keys and sub-keys created by Strawhat ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that Strawhat ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.