7ev3n ransomware alters name, asks for much lower ransom


A variant of 7ev3n ransomware has modified its name and begun asking victims for a considerably lower ransom fee than it was seeking just a few months ago.

Security researchers originally detected the 7ev3n ransomware back in January of this year.

Though it hasn’t been around for long, this crypto-malware sample has already made waves for several distinguishing features, such as a ransom fee of 13 Bitcoins (more than US $5,000), an encryption process by which all encrypted files are renamed according to a numbered sequence with the .R5A extension, and a file named “%LocalAppData%\bcd.bat” which disables several critical Windows recovery options.

Together, these functions ensure each victim of 7ev3n doesn’t just get hit in their wallet. They also require an affected user to invest considerable time in resetting the damage inflicted by the ransomware. That includes using a Windows reinstallation disc to reactivate the deleted recovery options, removing all the files installed by the ransomware, and scanning an infected machine with an anti-virus solution.


That phase of 7ev3n might be over, however.

In a recent post, Lawrence Abrams of Bleeping Computer explains that a new variant of 7ev3n has implemented a few changes.

A security researcher named Mosh has discovered  a new variant of the 7ev3n Ransomware, which has rebranded itself as 7ev3n-HONE$T. This ransomware will encrypt your data and then ransom your files for approximately $400 USD in bitcoins.”


There is still very little known about the new variant. For instance, while Mosh has confirmed 7ev3n-HONE$T relies on the same encryption process as that of its predecessor, it is unclear how the ransomware is distributed and whether it still installs several damaging files onto a victim’s computer.

Neither is there mention made of why the new variant asks for a ransom fee of only one Bitcoin (approximately US $400).

Perhaps the original ransom fee of 13 Bitcoins was simply too high and did not net the malware authors as much money as they were expecting. Alternatively, perhaps the ransomware’s source code was leaked online, which prompted a less ambitious computer criminal to seize upon it and use it for their own gain.

At any event, the ransomware still poses a danger to victims, for there is no way to decrypt 7ev3n-HONE$T without paying the ransom.

Until more is known about this new variant, users are urged to follow the usual ransomware prevention tips: do not click on suspicious links or email attachments, keep an updated anti-virus solution installed on their computer at all times, and implement software patches as soon as possible.

Tags: ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts


No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.