A new variant of the HC7 Ransomware is in the wild that encrypts a victim’s files and appends the .PLANETARY extension to the filename. What makes this particular ransomware variant unique is that it may be the first one that accepts Ethereum as a ransom payment.

HC7 Planetary Ransomware Ransom Note

Almost all ransomware utilize Bitcoin for the ransom payment, with a few requesting Monero.  Now that Ethereum is currently selling for over $1,200 per coin and rising in price and popularity, it’s not surprising that we see criminals accepting it as a payment.

While a cryptocurrency like Monero, or even Verge, makes more sense due to their greater privacy and being less traceable, Ethereum’s smart contract feature could make ransomware payment processing more efficient.  Using Ethereum’s smart contracts, a criminal could make a “honest ransomware“, where a victim guarantees payment if the developer actually decrypts the victim’s files.

While no ransomware currently uses Ethereum smart contracts for payments and most likely will not due to its complexity, that is really the only good reason to use Ethereum over other cryptocurrencies. In the future, I would expect developers to move away from Bitcoin and start moving more towards Monero and XVG due to them being “privacy” related coins.

What we know about the HC7 Planetary Ransomware

As for the HC7 Planetary variant, we do not know much more than it is currently being distributed via the developer hacking into networks using remote desktop. Once they gain access to the network they will manually install the ransomware on all machines they can…