Larry Abrams had the scoop: "A new ransomware has been spotted called 7ev3n that encrypts your data and demands 13 bitcoins to decrypt your files. A 13 bitcoin [almost $5,000] ransom demand is the largest we have seen to date for this type of infection, but that is only just one of the problems with this ransomware. In addition to the large ransom demand, the 7ev3n crypto-ransom malware also does a great job trashing the Windows system that it was installed on. It does this by modifying a variety of system settings and boot options so that keyboard keys and system recovery options are disabled on the computer. So between a victim's files being encrypted and the computer being trashed so you can't bypass the lock screen, it makes for a very frustrating experience." Here is how the ransom note looks:
When the ransomware is installed it will also install numerous files in the %LocalAppData% folder. The bcd.bat files contains BCDEDIT commands that disable a variety of recovery options in Windows. Unfortunately, at this time there is no way to decrypt files for free, but to make matters worse making the system usable again is a royal pain as well. More technical and recovery details here.
What To Do About It
- It is still in the early days, at the moment there is no known way to decrypt the files for free, but if malware researchers reverse engineer the code and find a way to get your files back, we will update this post.
- Your best protection remains a solid and proven backup strategy, with regular off-site copies.
- For mitigation purposes, treat this like any other ransomware. Continue blocking executables from running from standard paths (%appdata%, %temp%, etc). There are now dedicated antiransomware tools out there now. Check WinAntiRansom and Malwarebytes Anti-Ransom
- Stepping your users through effective security awareness training is a must these days. Find out affordable this is for your organization and be pleasantly surprised.
