Threat Database Ransomware "Demo" Ransomware

"Demo" Ransomware

By GoldSparrow in Ransomware

Security researchers began talking about the "Demo" Ransomware when they discovered an encryption Trojan programmed to encode photos only. The "Demo" Ransomware detection name denotes an encryption Trojan that is most likely under development at the time of writing this. Analysts report that the "Demo" Ransomware was seen on the Dark Web and spam emails that were loaded with a macro-enabled DOCX file, which serves as your run-of-the-mill Trojan-Dropper.

Most Security Experts Know How the Story Goes When a Malicious Macro is Executed

The "Demo" Ransomware is installed to a temporary folder on the primary system drive and a scan is initiated. The "Demo" Ransomware scans the computer for data containers in JPG format and adds them to a list that is used for the encryption procedure. We should note that variants of the "Demo" Ransomware are likely to feature expanded features and target many more file formats in the future. Apparently, the "Demo" Ransomware supports a basic functionality that is present in the majority of ransomware such as Cerber and Crysis. The test build of the "Demo" Ransomware can lock files on local drives and removable media attached to the computer while the encryption procedure is running. The data that is encoded by the "Demo" Ransomware can be recognized by the '.encrypted' suffix placed after the default file extensions. For example, 'Asian tiger mosquito.jpg' is transcoded to 'Asian tiger mosquito.jpg.encrypted'.

The Initial Release of the “Demo” Ransomware is Aimed at Users in Germany

The initial release of the "Demo" Ransomware is aimed at users who speak German judging by the ransom notification left on the victim's desktop. We can add the "Demo" Ransomware to the same group of language-specific ransomware the Bundeskriminalamt Ransomware belongs to. The note for the "Demo" Ransomware is packed as 'HELP_YOUR_FILES.txt' and demands payment of 0.5 Bitcoin for the decryption program. The same price was set for the decryption provided with the Taka Ransomware and the R980 Ransomware pushed on the Russian cyber front. The message in 'HELP_YOUR_FILES.txt' reads:

‘Es wurden [number of encrypted objects] Ihrer persönlichen Bild-Dateien mit AES-256 verschlüsselt. Nur wir sind dazu in der Lage Ihre Dateien wiederherzustellen.
Zahlen Sie dazu bitte 0.5 BTC an die unter https://www.criminal-website(dot)ru angegebene Bitcoin-Adresse.
Nach Zahlungseingang erhalten Sie dort ein Programm mit dem Sie Ihre Dateien wiederherstellen können.
Hierzu benötigen Sie folgende Informationen
Key: [331 random characters]
IV: [344 random characters]’

Translated in English:

‘[number of encrypted objects] of your personal image files were encrypted with AES-256. Only we are able to restore your files.
Please pay 0.5 BTC to the bitcoin address given at https://www.criminal-website(dot)ru.
After payment, you receive a program with which you can restore your files.
You need the following information
Key: [331 random characters]
IV: [344 random characters]’

The “Demo” Ransomware is Still in Development and a Decryptor is not Likely to be Released

Security experts remind users that the "Demo" Ransomware is still in development and a decryptor is not likely to be released if payment is made to the wallet address listed on criminal-website(dot)ru. Fortunately, your photos can be recovered from backups and archives. Keep in mind that the phones powered by iOS, Android and the Windows Phone may backup your photos to a cloud storage, which you can access easily. That is not the case with the photos you take with a camera, and you need to make sure you have backups in case you encounter a variant of the "Demo" Ransomware. PC users can eliminate the "Demo" Ransomware suing an up-to-date anti-malware suite.

Trending

Most Viewed

Loading...