Extortionist Ransomware
The Extortionist Ransomware is a new, threatening variant from the VoidCrypt malware family. Its goal is to infiltrate targeted systems and run a strong encryption algorithm. As a result, victims will lose access to most of their private and business-related files. Documents, archived, databases, pictures, photos, PDFs, and more will be rendered unusable completely. The threat actors responsible for releasing the Extortionist Ransomware will then blackmail their victims for money in exchange for the potential restoration of the locked data.
One of the distinguishing characteristics of the threat is the specific extension it uses to mark each locked file. Upon encrypting a file from the targeted file types, the malware will append to the file's original name an email address, a unique ID string and a new extension. The email address is 'openthefile@mailfence.com' while the extension is '.Extortionist.' The ransom note of the threat is dropped onto the compromised devices as a text file named 'Decrypt-me.txt.'
Demands' Overview
The instructions from the hackers state that the first action of their victims should be to locate a specific file named 'prvkey*.txt.key.' Apparently, the file contains a crucial decryption key and without it, even the attackers will be unable to restore the affected data. The default location of the file is C:\ProgramData\ and the * sign could instead be a number. The note also clarifies that the ransom will have to be paid using the Bitcoin cryptocurrency.
If the note can be trusted, victims also are allowed to send a couple of locked files to be decrypted for free. However, the chosen files must be less than 1MB in size and should not contain any important information. Two emails are provided as communication channels - 'openthefile@mailfence.com' and 'openthefile@tutanota.com.'
The full text of the Extortionist Ransomware's note is:
'All Your Files Has Been Encrypted
You Have to Pay to Get Your Files Back
1-Go to C:\ProgramData\ folder and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key)
2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data
3-Payment should be with Bitcoin
4-Changing Windows without saving prvkey.txt.key file will cause permanete Data lossOur Email:openthefile@mailfence.com
in Case of no Answer:openthefile@tutanota.com'
