Threat Database Ransomware ATLAS Ransomware

ATLAS Ransomware

By GoldSparrow in Ransomware

The ATLAS Ransomware is a ransomware Trojan that seems to be a variant of the CHIP ransomware, which was first observed in November 2016. The ATLAS Ransomware receives its name because it marks files encrypted during its attack with the file extension '.ATLAS.' The ATLAS Ransomware was first observed on April 18, 2017, and seems to be distributed in a way typical of many ransomware Trojans: spam email messages delivering corrupted attachments, in the form of text documents that use corrupted scripts to download and install the ATLAS Ransomware on the victim's computer. Ransomware Trojans like the ATLAS Ransomware are designed to take the victim's files hostage in exchange for a ransom payment. They do this by using a strong encryption algorithm to make the files inaccessible completely, then demanding the payment of a ransom by displaying a ransom note on the infected computer.

How the ATLAS Ransomware Infection Works

The ATLAS Ransomware may be delivered through email tactics. Once the ATLAS Ransomware enters a computer, it will check whether there is a virtual environment or debugger used by PC security researchers to study these threats. The ATLAS Ransomware will scan the victim's files, searching for certain types of files (generally user generated) to encrypt in its attack. The ATLAS Ransomware uses a combination of the RSA and AES encryptions to make the victim's files inaccessible completely, in a way similar to most ransomware Trojans active today. The ATLAS Ransomware communicates with its Command and Control servers located on the TOR network, relaying information about the infected computer and the attack itself, as well as receiving configuration information. The ATLAS Ransomware will encrypt numerous file types, including the following:

.pdf, .xls, .xlsx, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .7z, .zip.

The files that have been encrypted by the ATLAS Ransomware can be recognized because the ATLAS Ransomware will add the file extension '.ATLAS' to the end of each affected file's name. The ATLAS Ransomware also will delete the Shadow Volume Copies and System Restore points, both of which can sometimes be used by computer users to recover from these attacks. The ATLAS Ransomware delivers its ransom note in a text file named 'ATLAS_FILES.txt.' The text of the ransom note used by the ATLAS Ransomware in its attack reads:

'YOUR ID:[34 RANDOM CHARACTERS]
Hello! All Your files are encrypted!
For more specific instructions, please contact us as soon as possible:
atlashelp@protonmail.com
atlasfix@protonmail.com
atlasfix@dr.com
Attention: DO NOT USE ANY PUBLIC DECRYPTERS!
YOU CAN DAMAGE YOUR FILES!
Kind regards, Support Team.
YOUR ID:[34 RANDOM CHARACTERS]'

Dealing with an ATLAS Ransomware Infection

Victims of the ATLAS Ransomware attack are asked to contact the con artists using the email addresses in the ATLAS Ransomware ransom note.They will demand the payment of 0.5 BitCoin (approximately $600 USD) in exchange for the decryption tool. However, paying the ransom amount may not be a solution. The people responsible for these attacks will rarely follow through on their promise of decrypting the victims' files, and may even ask for more money or re-encrypt the victim's files after the attack. Most importantly, paying the ATLAS Ransomware ransom allows these people to continue developing these ransomware Trojans and carrying out more attacks.

The best way to annihilate these attacks is to remove the ATLAS Ransomware infection with a security program and then to replace the affected files with backup copies. Because of this, having file backups is the best protection against the ATLAS Ransomware and most other ransomware Trojans. If computer users can get back their files from the backup source, then the con artists can no longer demand a ransom payment from the victim. It is also important to learn how to spot email tactics and corrupted email attachments since these are such a common way of spreading the ATLAS Ransomware and similar ransomware to computer users.

Related Posts

Trending

Most Viewed

Loading...