Wednesday , January 20 2021
Home / News / Tyrant Ransomware Uses Popular VPN Application To Infect Victims In Iran
Tyrant Ransomware Uses Popular VPN Application To Infect Victims In Iran

Tyrant Ransomware Uses Popular VPN Application To Infect Victims In Iran

Infected victims have only 24 hours to pay an amount of 520,000 IRR ($15) or else, all their data will be removed.

After being contacted or infected, the victim has only 24 hours to pay the equivalent of $15. The experts have assumed Tyrant ransomware specifically targets Iran, as the ransom note is in Farsi and uses two local payment processors ( and The Tyrant ransom note also features two email addresses: and Telegram username @Ttyperns.

The strain was first reported last on October 16 by Karsten Hahn, a G Data Security expert. After the report was made by Hahn, the alert was issued by The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC), warning about a campaign of ransomware distribution currently running in Iran. According to the team of experts at Iran CERTCC, the cybercriminals have disguised the Tyrant ransomware as a very popular VPN app called Psiphon.

It has transpired that the person behind this attack might not be aware of the Iran government-linked group of cyber-espionage individuals known as Rocket Kittens. In the summer of 2016, Rocket Kittens traced Telegram IDs to users’ phone number in the summer of 2016.

The first variants of ransomware used by DUMB were a very simplistic XOR encryption and stored the encryption key within the encrypted file itself. One of the reasons DUMB was considered a “joke” ransomware was because the first ransomware version had a fault that made it self-decrypt once the user closed the ransom note window.

The tyrant ransomware belongs to the DUMB family of ransomware, which is based on ransomware code published on GitHub, later forked by other programmers.

Bleeping Computer asked MalwareHunter about the recent Tyrant ransomware attack, to which they jokingly responded, “A joke ransomware, without any protection used in the live attack? Made my day”. In addition, security specialist MalwareHunter is currently performing investigations as to determine if the Tyrant ransomware is decrypt-able in the same manner as former DUMB versions. This is due to the fact that aside from translating the note to Farsi, the Tyrant ransomware seems to have gone through little to no modifications from its other DUMB-based versions.

Initial analysis performed by the Iran CERTCC they appear to have the same opinion as Malware hunter, and have further claimed that this is the first variant of Tyrant ransomware, because despite the encryption operation, most of the time the program does not succeed in encrypting victim’s files, and it is not functional after rebooting the system.

Experts have called to organizations around the globe to heed the alert that was first issued by Iran CERTCC, as Remote Desktop protocol connections with weak credentials have become the main target for cybercriminals to install ransomware and steal important data from individuals and enterprises.

About Ali Raza

Ali Raza is a freelance journalist with extensive experience in marketing and management. He holds a master degree and actively writes about crybersecurity, cryptocurrencies, and technology in general. Raza is the co-founder of, too, a site dedicated to educating people on online privacy and spying.

Check Also

Unblock Facebook at School

Russia to Target Facebook After Attack on Telegram

Following the mass-blocking of millions of IP addresses in the battle against Telegram, Roskomnadzor, the …

Leave a Reply

Your email address will not be published. Required fields are marked *