"Demo" Ransomware
Security researchers began talking about the "Demo" Ransomware when they discovered an encryption Trojan programmed to encode photos only. The "Demo" Ransomware detection name denotes an encryption Trojan that is most likely under development at the time of writing this. Analysts report that the "Demo" Ransomware was seen on the Dark Web and spam emails that were loaded with a macro-enabled DOCX file, which serves as your run-of-the-mill Trojan-Dropper.
Table of Contents
Most Security Experts Know How the Story Goes When a Malicious Macro is Executed
The "Demo" Ransomware is installed to a temporary folder on the primary system drive and a scan is initiated. The "Demo" Ransomware scans the computer for data containers in JPG format and adds them to a list that is used for the encryption procedure. We should note that variants of the "Demo" Ransomware are likely to feature expanded features and target many more file formats in the future. Apparently, the "Demo" Ransomware supports a basic functionality that is present in the majority of ransomware such as Cerber and Crysis. The test build of the "Demo" Ransomware can lock files on local drives and removable media attached to the computer while the encryption procedure is running. The data that is encoded by the "Demo" Ransomware can be recognized by the '.encrypted' suffix placed after the default file extensions. For example, 'Asian tiger mosquito.jpg' is transcoded to 'Asian tiger mosquito.jpg.encrypted'.
The Initial Release of the “Demo” Ransomware is Aimed at Users in Germany
The initial release of the "Demo" Ransomware is aimed at users who speak German judging by the ransom notification left on the victim's desktop. We can add the "Demo" Ransomware to the same group of language-specific ransomware the Bundeskriminalamt Ransomware belongs to. The note for the "Demo" Ransomware is packed as 'HELP_YOUR_FILES.txt' and demands payment of 0.5 Bitcoin for the decryption program. The same price was set for the decryption provided with the Taka Ransomware and the R980 Ransomware pushed on the Russian cyber front. The message in 'HELP_YOUR_FILES.txt' reads:
‘Es wurden [number of encrypted objects] Ihrer persönlichen Bild-Dateien mit AES-256 verschlüsselt. Nur wir sind dazu in der Lage Ihre Dateien wiederherzustellen.
Zahlen Sie dazu bitte 0.5 BTC an die unter https://www.criminal-website(dot)ru angegebene Bitcoin-Adresse.
Nach Zahlungseingang erhalten Sie dort ein Programm mit dem Sie Ihre Dateien wiederherstellen können.
Hierzu benötigen Sie folgende Informationen
Key: [331 random characters]
IV: [344 random characters]’
Translated in English:
‘[number of encrypted objects] of your personal image files were encrypted with AES-256. Only we are able to restore your files.
Please pay 0.5 BTC to the bitcoin address given at https://www.criminal-website(dot)ru.
After payment, you receive a program with which you can restore your files.
You need the following information
Key: [331 random characters]
IV: [344 random characters]’
The “Demo” Ransomware is Still in Development and a Decryptor is not Likely to be Released
Security experts remind users that the "Demo" Ransomware is still in development and a decryptor is not likely to be released if payment is made to the wallet address listed on criminal-website(dot)ru. Fortunately, your photos can be recovered from backups and archives. Keep in mind that the phones powered by iOS, Android and the Windows Phone may backup your photos to a cloud storage, which you can access easily. That is not the case with the photos you take with a camera, and you need to make sure you have backups in case you encounter a variant of the "Demo" Ransomware. PC users can eliminate the "Demo" Ransomware suing an up-to-date anti-malware suite.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.