.Arena file extension virus misguides users

Untangling ransomware

If your files now are marked with .arena file extension, it suggests that a file-encrypting virus took a liking of your files. However, determining which ransomware has settled on the device might not be an easy task.

Such commotion is understandable since major ransomware family groups of – CryptoMix and Dharma/Crysis[1] – released the latest editions which both tend to append almost identical file extensions. Take a look at this brief article and tips how to evade encountering them.

CryptoMix developers keep challenging IT experts

This malware perhaps has by far the biggest number of “offsprings” and most amusing story. The main reason why this particular malware group managed to expand to such horizons is the IT professionals’ ability to crack the released malware versions.

However, the authors persistently generate new versions. Unfortunately, the latest versions may indeed be labeled as full-fledged malware. The latest edition, CryptoMix Arena, happens to be one of them.

This malware modifies the original name of the file and modifies it into a hexadecimal series of numbers and characters with .arena at the end. The malware also opens its specific graphic user’s interface and _HELP_INSTRUCTION.txt file and indicates the email address — it now uses the ms.heisenberg@aol.com email address[2].

In addition, the cyber criminals also permit users to decode a few files for free up to 2 MB. One of a peculiar feature of the malware is that it employs 11 RSA-1024 keys to encode the main AES key which encoded files.
It does not only lower possible decryption probabilities but also permits the malware to operate offline.

Dharma virus family strikes with more destructive versions

Unfortunately, it is another big malware group which continues targeting users with elaborate crypt-malware. The latest version brings in slight confusion as it also tends to attach .id-[id].[email].arena file extension, but presented new complex features.

Taking a closer look unravels elaborate malware features. It is set to delete volume shadow copies which, unfortunately, which leaves fewer chances for data restore. Nonetheless, if you have backed[3] your files up before, you will be able to restore files.

In contrast to previously discussed file-encrypting virus, Crysis Arena ransomware developers indicate chivas@aolonline.top and macgregor@aolonline.top email addresses for contact purposes.

Countering ransomware threats

With new more elaborate viruses emerging, users should be more vigilant than ever before. While it is possible to look through the spam emails, malware elimination tools will be of assistance in warding off threats. Finally, here is some advice which will come in handy:

  • keep backup copies in the cloud
  • renew system and anti-virus software
  • do not open email and chat attachments without verifying its authenticity

Ugnius Kiguolis