ATCK Ransomware
Upon investigation, security analysts have determined that the ATCK malware functions as ransomware. Researchers specializing in information security first identified ATCK while examining potential malware threats. Once it infiltrates a system successfully, ATCK proceeds to encrypt numerous files. Additionally, it presents two ransom notes to the victim—a text file named 'info.txt' and a pop-up window containing a similar message.
ATCK modifies the original file names during the file encryption process by appending the victim's unique identifier, email address, and the '.ATCK' extension. For instance, a file named '1.doc' would be altered to '1.doc.id-9ECFA74E.[attackattack@tutamail.com].ATCK,' and similarly, '2.pdf' would become '2.pdf.id-9ECFA74E.[attackattack@tutamail.com].ATCK,' and so on.
Moreover, it has been verified that the ATCK Ransomware belongs to the Dharma malware family, a known group of malicious software.
The ATCK Ransomware Locks Victims' Data and Extorts Them for Money
The ransom note left by ATCK Ransomware begins by informing the victim that all of their files have been encrypted, followed by an assurance that these files can be restored. The note provides the attackers' email address, attackattack@tutamail.com, for communication purposes, along with a specific ID assigned to the victim's case. If no response is received within 12 hours, the note advises using another email address, attackattack@cock.li, for further communication.
In addition to outlining the communication process, the ransom note offers to decrypt up to three files, provided each file is under 3MB in size and does not contain critical data such as databases or backups.
Furthermore, the note includes instructions on how to acquire Bitcoins for payment and warns against renaming encrypted files or attempting decryption with third-party software. Doing so could lead to permanent data loss, increased ransom costs, or potential tactics.
Beyond the ransom instructions, the ATCK Ransomware demonstrates advanced capabilities, including the ability to encrypt both local and network-shared files, disable the firewall, delete the Shadow Volume Copies (a method used for data recovery), establish persistence mechanisms to maintain access and collect location data while being capable of excluding specific locations from its encryption process. These functionalities enhance the ransomware's impact and make recovery more challenging for affected users.
How to Better Protect Your Data and Devices from Ransomware Threats?
Protecting data and devices from ransomware threats requires a mix of proactive measures and ongoing vigilance. Here are several key steps users can take to enhance their defenses against ransomware:
- Keep Software Updated: Make sure that all operating systems, software applications, and anti-malware programs are regularly up to date by putting into service the latest security patches and updates. Many ransomware attacks exploit known vulnerabilities that can be mitigated by staying current with software updates.
- Use Strong Security Software: Install reputable anti-malware software on all devices and keep them updated. This software can help detect and block ransomware threats before they can execute.
- Enable Firewall Protection: Activate the firewall on your devices to help prevent unauthorized access and block incoming threats from reaching your system.
- Be Always Cautious with Email Attachments and Links: Be cautious when accessing email attachments or clicking on links, particularly from unknown or suspicious senders. Ransomware often spreads through phishing emails containing malicious attachments or links.
- Backup Data Regularly: Regularly back up crucial data and files to an exterior hard drive, cloud storage service, or other secure location that is not directly accessible from your main devices. This way, if your system is compromised by ransomware, you can restore your data without paying the ransom.
- Use Strong, Unique Passwords: Encourage the use of complex passwords and multi-factor authentication (MFA) for accessing devices and online accounts. This maximizes the security against unauthorized access.
- Stay Informed: Stay up-to-date with the latest ransomware trends and attack methods. Understanding how ransomware operates can help users recognize probable threats and take appropriate action to protect their devices and data.
Adopting these preventive measures and maintaining a proactive security posture can reduce the risk of falling victim to ransomware and reduce the impact of potential attacks on their data and devices.
The main ransom note of the ATCK Ransomware is:
'All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore them, write to the mail: attackattack@tutamail.com YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:attackattack@cock.li
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain BitcoinsAlso you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The message delivered as a text file is:
'all your data has been locked us
You want to return?
write email attackattack@tutamail.com or attackattack@cock.li'
