Ash Ransomware
Computers infected with the Ash Ransomware threat will be subjected to data encryption. The threat utilizes a strong cryptographic algorithm to lock the files of its victims, including documents, PDFs, archives, databases, images and many other file types. The impacted files will no longer be accessible and restoration without the proper decryption keys is usually impossible. The attackers use the encrypted data to extort money from their victims. Infosec researchers have confirmed that the Ash Ransomware is a variant of a previously detected threat known as the Dcrtr Ransomware. Another dangerous variant belonging to the same family is Flash Ransomware.
Victims of the Ash Ransomware will notice that their files also have had their original names modified drastically. The threat attaches the 'ashtray@outlookpro.net' email address followed by '.ash' to the files it locks. Two ransom notes will be dropped on the breached devices. One of the messages by the threat actors will be delivered as a text file named 'ReadMe_Decryptor.txt,' while the other will be shown as a pop-up generated from a file named 'Decryptor.hta.'
The instructions found inside the text file state that victims must reach out to the cybercriminals by messaging 'ashtray@outlookpro.net.' One file can be attached to the message to be decrypted for free as a demonstration of the attacker's ability to restore the encrypted data. The chosen file must be less than 500 KB in size. The main ransom note is the one shown in the pop-up window. Here, the Ash Ransomware provides additional communication channels, such as the 'servicemanager@yahooweb.co' and 'servicemanager2020@protonmail.com' email dresses and a Jabber account.
The full set of instructions is:
'Warning!
To recover data, write here:
1) servicemanager@yahooweb.co
2) servicemanager2020@protonmail.com (if you are Russian, then you need to register on the site www.protonmail.com through the TOR browser hxxps://www.torproject.org/ru/download/ , since the proton is prohibited in your country)
3) Jabber client - servicemanager@jabb.im (registration can be done on the website - www.xmpp.jp. web client is located on the site - hxxps://web.xabber.com/)Do not modify files - this will damage them.
Test decryption - 1 file < 500 Kb.'
The ransom note in the text file is:
'To recover data, write here:
ashtray@outlookpro.netDo not modify files - this will damage them.
Test decryption - 1 file < 500 Kb.'
