Exotic Squad Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 33 |
First Seen: | October 13, 2016 |
Last Seen: | March 16, 2023 |
OS(es) Affected: | Windows |
The Exotic Squad Ransomware is an encryption Trojan that is written in the Visual Basic programming language. The Exotic Squad Ransomware is a threat that is deployed to users via spam emails loaded with corrupted DOCX and PDF files. The distribution campaign for the Exotic Squad Ransomware might include logos and promotional images from well-known services like PayPal and Amazon to appear benign and lure users into downloading an attached file.
The Exotic Squad Ransomware Requires Users to Run It
Still, the main executable for the Exotic Squad Ransomware cannot run if the user chooses to avoid opening the corrupted file. If you are suspicious of a file you received via email—scan it with your AV product and upload a sample to the Google's VirusTotal platform as a security measure. The Exotic Squad Ransomware targets users running the Windows OS and does not need elevated privileges to operate, which prevents users from noticing its activity. AV applications are known to detect the Exotic Squad Ransomware under names like:
- Ransom_EXOTIC.A
- Trojan.Win32.Generic.pak!cobra
- Trojan.win32.skeeyah.a!rfn
- Win32.Trojan.Gen.Eyb
- Win32/Trojan.Ransom.685
- Win32:Malware-gen
Malware researchers report that the executable for the Exotic Squad Ransomware does not include a valid digital certificate and publisher information. The encryption engine of the Exotic Squad Ransomware is not exotic and functions the same way as the one used for the NCrypt Ransomware. The Exotic Squad Ransomware is programmed to use the AES-256 encryption algorithm to lock the files stored on your drives. Researchers note that the Exotic Squad Ransomware can lock most data containers used to store images, text, videos, spreadsheets, audio and databases. The Exotic Squad Ransomware is known to target the following extensions:
.txt, .exe, .text, .cur, .contact, .ani, .xls, .com, .url, .ppt, .src, .cmd, .tgz, .fon, .pl, .load, .CompositeFont, .png, .exe, .mp3, .mkv, .veg, .mp4, .lnk, .zip, .rar, .7z, .jpg, .sln, .crdownload, .msi, .vb, .vbs, .vbt, .config, .resx, .vbproj, .json, .jpeg, .scss, .css, .html, .hta, .ttc, .ttf, .eot, .camproj, .m4r, .001, .002, .003, .004, .005, .006, .007, .008, .009, .au, .aex, .8be, .8bf, .8bi .abr, .adf, .apk, .ai, .asd, .bin, .bat, .gif, .3dm, .3g2, .exe, .3gp, .aaf, .accdb, .aep .aepx .aet, .ai, .aif, .anv, .as, .as3, .asf, .asp, .asx, .avi, .bay, .bmp, .cdr, .cer, .class, .cpp, .contact, .cr2, .crt, .crw, .cs, .csv, .d11, .db, .dbf .dcr .der .dng .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .fla, .flv, .iso, .idml, .iff, .ini, .sik, .indb, .indd, .indl, .indt, .iconx, .jar, .jnt, .jnt, .java, .key, .kdc, .m3u .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mpa, .mpeg, .mpg .mnv, .msg, .nef, .nnv, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .plc, .pdb, .pdf, .pef, .pem, .pfx, .php, .plb, .pmd .pot .potm .potx .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .pst, .ptx, .r3d, .ra, .raf, .raw, .rb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw .svg, .swf, .tif, .vcf, .vob, .wav, .wb2, . wrria, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .x11, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx.
The Exotic Squad Ransomware Uses an HTA Application and the Windows Messaging Service to Notify the User of a Successful Encryption
The same behavior was introduced with the Black Feather Ransomware, which took advantage of built-in Windows services to deliver the ransom note. Reports reveal that users infected by the Exotic Squad Ransomware are shown a dialog box that says:
'Windows are Infected, by the EXOTIC Virus!
Try to Kill or Delete me i kill your PC!
Have a nice day =)'
The notification is followed by a window loaded with a picture of Adolf Hitler and the title 'You got fucked by EXOTIC SQUAD.' However, there is no evidence to support connection with the Hitler Ransomware. When the image fades away a text message appears and says:
'ALL YOUR FILES HAVE BEEN ENCRYPTED
Hello, all your Computer files have been encrypted. But, don't worry! I haven't deleted them all. So you have 72 hours to pay 50 USD in BitCoins to my BitCoin Address to get your files back! Every 5 hours files will be deleted. After 72 hours all that are left will be deleted! We will format your hard-drive when you restart the Computer! The Timer starts now! Dont fuck with EXOTIC Squad!
TIME LEFT: [72 hours]
Send 50 USD worth of BitCoins here: [34 random characters]'
50 USD may not seem like much, but you should take into consideration that the makers of the Exotic Squad Ransomware are not obliged to send you a decryption key. Crypto malware developers may install a backdoor Trojan on your PC as we have seen with the Pokemon GO Ransomware. Computer users should consider using clean backups to restore their data instead of paying the ransom. Keep in mind that you will need to clean your Windows OS with a reputable anti-malware suite before you proceed to restore your data.