Ahegao Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 18 |
| First Seen: | January 19, 2011 |
| Last Seen: | February 2, 2021 |
| OS(es) Affected: | Windows |
The Ahegao Ransomware is a newly detected data-locking Trojan. An increasing number of cybercriminals are taking advantage of ransomware building kits, which allow even inexperienced ill-minded artists online to create and distribute their own file-encrypting Trojans.
Table of Contents
Propagation and Encryption
Cybercriminals who distribute ransomware threats tend to use various infection vectors. Some of the commonly used propagation methods include:
- Bogus application downloadvertisements.
- Bogus application updates.
- Illicit activation tools for popular software suites.
- Torrent trackers.
- Unsafe advertisement operations.
One of the undoubtedly most popular distribution techniques is spam emails. The emails in question would contain a fraudulent message and a link that is meant to trick users into downloading a corrupted file. Another iteration of this propagation method is emails that contain corrupted macro-laced attachments that appear to be harmless files at first glance. The Ahegao Ransomware is likely to encrypt all the files on your system. Most ransomware threats are designed to lock as many filetypes as possible. This means that once the Ahegao Ransomware finds its way into your computer, it will encrypt all your audio files, images, documents, videos, spreadvertisementsheets, databases, archives, etc. Upon locking your data, the Ahegao Ransomware would apply a new extension to all the affected files – ‘.ahegao.’ This means that if you named a file ‘large-mug.png,’ the Ahegao Ransomware will rename it to ‘large-mug.png.ahegao’ when it is done encrypting it.
The Ransom Note
Just like most ransomware threats, when the Ahegao Ransomware has completed the encryption process, it would proceed with the attack by displaying the attackers’ message. The ransom note of the Ahegao Ransomware comes in the shape of a pop-up window called ‘Encrypted v2.40.’ The window has a red background, flashing a yellow text stating ‘YOUR FILES HAVE BEEN ENCRYPTED!,’ and an image of an anime girl on the left. The users have only 72 hours to complete the request of the attackers, or the decryption key they need to recover their data will be deleted. The authors of the Ahegao Ransomware demand to be paid $50 in the shape of Bitcoin as a ransom fee. After processing the payment, the victim is required to contact the attackers via email – ‘l33tsupp0rt1337@protonmail.com.’
The ransom note explains AES-256 encryption is employed to encrypt data. Files can only be decrypted using a unique decryption tool, which victims must purchase from the malware developers. The decryption key sells for $50 in Bitcoin cryptocurrency. The ransom should be paid by making a cryptocurrency transfer to the indicated Bitcoin wallet.
Ahegao Ransom Note
The text of the ransom note reads:
Encrypted
YOU FILES HAVE BEEN ENCRYPTED !
Oh no. The important files on your computer have been encrypted with military grade AES-256 bit encryption.
Your documents, videos, images and other forms of data are now inaccessible, and cannot be unlocked without the decryption key. This key is currently hidden.
To acquire this key, please transfer the Bitcoin Fee to the specified wallet/bitcoin address before the time runs out.
Bitcoin fee: 50 USD
Bitcoin address: 3F3XAJE1j52bM9tWZ3zFBofbAHkHwTxnFQ
If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost.
You can buy and transfer Bitcoin (a digital currency) on the following websites: localbitcoins.com, coinbase.com, paxful.com and many more. All you have to do is buy the specified amount of Bitcoin and send/transfer them to the specified address/wallet.
After you have done the transaction OR if you have any questions, please contact l33tsupp0rt1337@protonmail.com. We will be glad to answer your questions or to provide the decryption key to unlock your files (please include your Bitcoin address).
Additionally we offer you to decrypt the files for free by solving a challenge. You need to have a little knowledge about computers:
-
TIME REMAINING 71 : 52 : 05
WALLET ADDRESS: 3F3XAJE1j52bM9tWZ3zFBofbAHkHwTxnFQ
BITCOIN FEE: 0.0047
View Encrypted Files
Enter Decryption Key
Victims are pressured into buying the decryption key within 72 hours as the note threatens that the key is deleted after 72 hours. This would make it impossible to recover the encrypted files. Victims should contact the developers over email at l33tsupp0rt1337@protonmail.com and quote their bitcoin address. The developers promise to send the decryption key as soon as they get the email and verify the payment.
Please note there have been many cases where people make the payment but don't get the decryption key they need. These users are scammed out of their money. You should never trust a ransomware developer.
Unfortunately, there are no free tools available to decrypt Ahegao Ransomware right now. The only way to securely retrieve lost files is to restore them through a backup. Make sure that you eliminate the ransomware from your computer first, however, to prevent further infection. Files remain encrypted even after removing ransomware, so this step can't help restore infected files.
How Does Ahegao Ransomware Get on Computers?
Ransomware, and all other kinds of malware, spreads through spam campaigns, trojan viruses, fake software updates, illegal activation tools (cracks), and malicious downloads. Trojans are viruses with the ability to hide viruses and cause chain infections. Spam campaigns involve sending out thousands of malicious spam emails in the hope that a small percentage of people interact with them. These emails include infected file attachments, such as infected Word Documents and executable files. Cracking tools are used to activate illegally downloaded software, but they are known to install malware too. Hackers also exploit flaws in outdated software and create fake updates that install viruses rather than update software as promised.
How to Protect Yourself Against Ahegao Ransomware
The first step towards protecting yourself against ransomware like this is not to open suspicious and unsolicited emails. You should also only use official download sites or trusted third-party websites. Avoid peer-to-peer sharing networks and illegal downloads. Not only is it illegal to download and crack pirated software, but you also run the risk of computer infection. Last but not least, you owe it to your computer – and yourself – to invest in reliable antivirus protection. Accidents happen, and being safe can only get you so far. You need something that can help if an infection gets through despite your best efforts.
