TrumpHead Ransomware

Cyber attackers are building a new file-encrypting threat, and it is called TrumpHead Ransomware. The name is random, and it has nothing to do with Trump or politics in general. This is not surprising at all, considering that the infection was built using the Hidden-Tear code that is publicly available. Other threats created using the same code have names that are just as random, including BSS Ransomware, SnowPicnic Ransomware, or ShutUpAndDance Ransomware. Just like most threats from this family, the one discussed in this report does not appear to be finished yet. When will it be finished? The truth is we do not know if it will be finished at all, but our research team has analyzed the infection’s code, and we know for a fact that it has the ability to encrypt files. If you need to remove TrumpHead Ransomware from your operating system now, you will find information that will help you. If you need help securing your operating system against this potentially dangerous threat, you will find useful information as well.

According to our malware experts, TrumpHead Ransomware appears to be almost complete. It can communicate with a C&C server (6bbsjnrzv2uvp7bp.onion.pet/signup.php?) using the TOR network, and it can check the IP address via icanhazip.com. The infection can even download a BMP file (“[download date].bmp”) to change the Desktop wallpaper. Of course, that is not the worst it can do. If the threat successfully connects to a remote server and obtains an encryption key, it can encrypt various personal files. Our researchers list these files as the main targets of TrumpHead Ransomware: .asp, .aspx, .csv, .dat, .doc, .docx, .gif, .html, .img, .jpg, .jpeg, .mdb, .mp3, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml, and .zip. Every file that is the target should be encrypted using an algorithm that cannot be decoded manually. As we mentioned already, at the time of research, the infection was not complete, and it was not encrypting files at all, but that does not mean that this is how the threat will remain.

If the threat is executed and can encrypt files successfully, it also should be able to delete shadow volume copies and create a copy in the %TEMP% directory. This copy is supposed to remove itself after encryption. This is also when the Desktop wallpaper would change and a file name “READ_THIS.txt” would be created. The message in this file is meant to inform the victims of TrumpHead Ransomware that they need to transfer 0.8 Bitcoin (at the time of analysis, this was around 2,900 US Dollars) to the cyber criminals’ Bitcoin wallet. According to our research team, one of the many available wallets can be used, and you can see the full list below. The message also instructs to pay the ransom in 48 hours and contact wegotyoudata@protonmail.com to ask questions. To ensure that the victim acts fast, the message also includes this warning: “Be sure NOT to rename or delete your files, shutdown your computer or contact the law, otherwise it's gone forever!” Do not believe any of this, and do not pay the ransom because your files will not be decrypted. Instead, focus on deleting TrumpHead Ransomware.

The list of Bitcoin wallets linked to TrumpHead Ransomware:
11hskXfQKU67evYuWYrkfK4zNidx7nWfD
12RtkaseEMszBcs6R8wz86cxDB38BPDPoN
13KJtzHP646RqDUMJm6jhJ2YvaDs96L9yW
163sQPTNtFGotkiSWjMXKH73JuaJgboFXR
168ThUSTzKdG3U3zDfaX1jxEZjRZqq8f1k
16MU82GjtKbiGZTb1isintVuHY8hFf13bd
188vLacNKyiWcYfw3ff7gpabQVQfJKcPKa
18EjgsbBNBkASpwEWgLaKrn8n9eyzbwkdi
19dRKRmR9dfDoKZ85fikT87xnRHLDhvZq4
1B65no8yUR8svzxTZkf6qusqM6tGL9RJZ5
1CBfPa2x8zBS7bYwE7z2hWWAuRC53LYqu8
1CMb9ViDpkBa1BBRAS4UHJa6NE1CdnhtuH
1DHhSM1hsMFhev1aXgXom25U8zdUekbbKX
1E3zLEiB9iy7SY75jpx6JGHLVWiV3G6TPx
1K6EvwYUPFFd6bwDK6R2EHB1gqWn6MDkmV
1LvD3jqe7LaRzAY2k4GkKkivwhkWNttMVB
1M4DE2x3X2U9dSWCFYgJ5Sj32Ufydo3NaY
1Mo8g8qmDQwu2ZDgRWtbPUDCCtctVj3M7m
1MoUe6Yzfz9ZPjZNj11phkE4HYJSLHT7eE

You might be able to delete TrumpHead Ransomware manually if you know where the executable of this threat is. Afterward, check for the copy, and remove the files created by the infection. Although the process seems pretty straightforward, identifying the launcher can be tough. This is why we strongly recommend considering the option of using an anti-malware program. It can automatically find and remove TrumpHead Ransomware, as well as other threats that might exist. Furthermore, it can strengthen your operating system’s security. Finally, it can defend you against all kinds of malicious threats in the future, and that is one of the most important things. Of course, you might be more concerned with your personal files at this moment. If they are not backed up outside your computer, you cannot recover them. From now on, make sure you back up important files to protect them at all times.

TrumpHead Ransomware Removal

1. Find the [unknown name].exe file that launched the threat and Delete it.
2. Delete the ransom note file called READ_THIS.txt (this file might have copies everywhere).
3. Launch Explorer (tap Win+E keys) and enter %TEMP% into the field at the top.
4. Delete the copy of [unknown name].exe file if it did not delete itself already.
5. Enter %USERPROFILE%\Pictures\Backgrounds\ into the field at the top.
6. Delete the [download date].bmp file.
7. Exit Explorer and then Empty Recycle Bin.
8. Install and run a trustworthy malware scanner to check for malware remains (delete if they exist).
9. Restore the preferred Desktop wallpaper.