7ev3n – HONE$T Rasnomeware

  • Earlier this year researchers discovered a new type of ransomware that encrypts a victim’s files and demands an extortionate amount of 13 BTC (Bitcoins), which currently equates to £4153.
  • This has evolved into an improved version called “7ev3n-HONE$T” which is now believed to demand a lower amount of 1 BTC equating to £319.
  • 7ev3n-HONE$T encrypts files and renames them using sequential numbers using the .R5A extension.
  • It will encrypt all photos, media, documents, databases & other personal files.
  • Once it has finished encrypting data it will connect to a C2 server (Command & Control) and upload certain information and statistics.
  • According to the ransom message that is displayed after infection, the victim has 72 hours to pay the demand to a unique Bitcoin address.
  • The added “HONE$T” word to the improved malware strain is thought to be related to the operators providing an option to decrypt up to 5 random files for free.
  • A feature to recover half of the encrypted files for 60% of the full ransom amount is also included.
  • There is currently no way to decrypt files without paying the demand.
  • The delivery method for the 7ev3n-HONE$T ransomware is via spam emails containing malicious attachments. By opening an attachment from an unsolicited source there is a high risk of infection.
  • It has also been distributed over social media and file sharing networks.

Preventing Ransomware

  • Make sure you have anti-virus software installed and ensure it is up-to-date and running in real time.
  • Keep browsers, operating systems, Adobe and other applications up-to-date and patched against vulnerabilities.
  • Backups are an ABSOLUTE necessity in protecting your data. Backup files regularly, store the backups on external storage and physically disconnect the storage from the computer and network between backups. Ensure you verify the backups.
  • There are many fake emails with malicious attachments circulating the Internet. If you receive an uninvited email containing an attachment then do not instantly open it unless you are 100% sure of its origin.
  • If macros are not commonly used on the computer then disabling them will greatly reduce the chance of infection or chose “enable with notifications”. This should prompt you before macros are utilised.
  • Beware of unsolicited emails asking you to click on links.
  • In the unfortunate case of infection, pull the plug on the computer and internet access. Do not pay the ransom as a first response – report to Action Fraud as soon as possible.


The SWRCCU advise not to pay any ransom demands. This is for three reasons:

– You are not guaranteed to get your data decrypted.
– Further extortion demands may follow.
– It encourages further attacks against other victims


If you want to learn about Cyber Security, check out our new Cyber Security & Privacy Essentials course below.


Thanks to the Gloucestershire Police for alerting us to this information.


Action Fraud is the UK’s national fraud and internet crime reporting centre, providing a central point of contact for information about fraud and financially motivated internet crime

Visit www.actionfraud.police.uk