ATLAS Ransomware

ATLAS Ransomware Description

The ATLAS Ransomware is a file encryption Trojan that appears to be a modified, and improved version of the CHIP Ransomware that emerged in November 2016. The ATLAS Ransomware is named after the tag attached to the encrypted files, which is '.ATLAS.' Reports of the threat surfaced on April 18th and analysis of the Trojan confirmed that it is derived from the CHIP Ransomware. Additionally, the payload for the Trojan is delivered to users the same way as many other crypto-Trojans are — spam emails carrying a macro-enabled document. The corrupted text document features an embedded script that directs the Windows OS to connect to a remote host, download a obfuscated file, unpack it and run the executable inside.

How the ATLAS Ransomware Compares to Other Crypto-Threats

When the ATLAS Ransomware is loaded in the memory of the computer, it may check if the system is running a debugger, which is a tool that cyber security experts use to analyze Trojans like the Malabu Ransomware and the MOLE Ransomware. The authors of the ATLAS Ransomware designed their product to hinder detection and debugging, which translates to more time it would take to build a virus signature and block the Trojan from computers. The ATLAS Ransomware is classified as a mid-tier encryption Trojan that functions a lot like the 'Recuperadados@protonmail.com' Ransomware. Both threats use the RSA and AES ciphers to lock data on the compromised machine; both threats are configured to work with 'Command and Control' servers hosted on the TOR Network and infected users are suggested to write an email to the ransomware operators who have an account on the privacy-centric ProtonMail platform. That way the crooks can remain anonymous and slow down the investigation of cases that involve their program. The threat at hand is proven to encipher the following types of data containers:

.pdf, .xls, .xlsx, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .7z, .zip

You can recognize the affected files by their generic white icon and the '.ATLAS' extension placed after the original format. For example, 'Fantail birds.pptx' is renamed to 'Fantail birds.pptx.ATLAS.' Unfortunately, the ATLAS Ransomware includes a procedure to erase the Shadow Volume Copies and System Restore points made by Windows. The ransom notification is presented as 'ATLAS_FILES.txt' that you may find in the Temp directory. The announcement reads:

'YOUR ID:[34 RANDOM CHARACTERS]
Hello! All Your files are encrypted!
For more specific instructions, please contact us as soon as possible:
atlashelp@protonmail.com
atlasfix@protonmail.com
atlasfix@dr.com
Attention: DO NOT USE ANY PUBLIC DECRYPTERS!
YOU CAN DAMAGE YOUR FILES!
Kind regards, Support Team.
YOUR ID:[34 RANDOM CHARACTERS]

The Decryptor may be Priced at Hundreds of Dollars

The makers of the ATLAS Ransomware may reply to users who write to atlashelp@protonmail.com, atlasfix@protonmail.com, and atlasfix@dr.com, and suggest that a decryption tool can be purchased for 0.5 Bitcoin (612 USD/569 EUR). However, we have no reports that paying is the right decision and you risk losing your money. It is safer to clean your machine with a credible anti-malware scanner and recover your files using backup images and copies uploaded to a cloud-based storage like Google Drive, Mega, Microsoft's OneDrive and Dropbox.

Infected with ATLAS Ransomware? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect ATLAS Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 13 + 7 ?