The ransomware are a scourge of our time. They work by encrypting the files of the attacking system, so their victims do not have access to them. Then hackers ask for a ransom to give the key that decrypts the files. Many times they also give time to their victims, which, if passed, can lead to the deletion of the data. Some ransomware attacks can also infect devices on your LAN. However, hackers are not only targeting home networks and devices, but also companies, hospitals and other services.
Ransomware is evolving more and more over time. In 2016 a ransomware called "Dharma" appeared. In fact, thanks to the upgrades and additions that were made, it is still a big risk. THE Trend Micro recently discovered a new variant of ransomware that has attacked the Slovenian security company Eset and the Eset AV remover tool.
The attack took place via email, which appears to have come from Microsoft, and the message states that the victim's computer is in danger. The email then states that in order for the user to remain safe, a protection tool must be downloaded. The auto-export file is protected with the password "www.microsoft.com", which is mentioned in the email.
After downloading this security tool, an Eset AV remover user interface appears. However, along with the Eset tool, a sub-file with ransomware code is also run. The user is trying to install this tool, but in the background, ransomware encrypts the victim's files. A file extension * .ETH is added to the affected files.
Finally, there is a ransomware message that informs the victim that his files are encrypted and has to pay to decipher them, with instructions on how the user can contact the attackers to pay the ransom they were asked for .
As for the AV Eset remover, it does not matter if this tool starts or installs successfully, it's just a trick to conceal the ransomware activity. The encryption process is independent of the installation status of this tool.
Eset AV remover is a tool for quick and easy uninstallation of antivirus software on a computer. In this case, the "Dharma" and the Eset tool run simultaneously. The installer of the tool is waiting for the user interaction, but "Dharma" is already encrypting files, so there is no way to uninstall the security software first and then start encrypting the files.