Attackers push data wipers disguised as ransomware on adult websites

Threat intelligence firm Cyble has reported a malicious campaign in which threat actors spread data wipers disguised as ransomware on adult websites.

The attackers use host names that indicate that they were offering nude photos, such as nude-girlss.mywire[.]org, sexyphotos.kozow[.]com and sexy-photo[.]online.

Cyble explained that the sites would ask users to download an executable file called SexyPhotos.JPG.exe, which embodies a JPG image. Once launched, the fake ransomware drops four executables (del.exe, open.exe, windll.exe, and windowss.exe) and a batch file (avtstart.bat) in the user’s %temp% directory and executes them.

While the batch file copies all four executables to the Windows Startup folder, “windowss.exe” is executed to drop three additional files, including “windows.bat,” which performs the renaming.

Based on investigations, the researchers discovered that the malware is not a ransomware, but a malware designed to use the fake encryption as a decoy while deleting almost all files on a user’s drive.

Should users be infected with the malware, it is best that they bring their operating system back to a previous state, since the fake ransomware doesn’t delete shadow copies. It is also important that users perform regular backups.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web