'Recuperadados@protonmail.com' Ransomware

The 'Recuperadados@protonmail.com' Ransomware is an encryption Trojan that belongs to a big family of crypto-threats called Hidden Tear. You may have heard the name on the news and know that the Hidden tear project was published by a coder named Utku Sen. The project was presented as a 'proof of concept' serving as an example for encryption engines and their potential. Soon after Hidden Tear became public, threat actors saw an opportunity to copy the source code and utilize the encryption mechanism for monetary gain. Threat actors used Hidden Tear to create encryption Trojans that encipher the victim's data and offer a decryptor after payment is made via Bitcoins.

The 'Recuperadados@Protonmail.com' Ransomware is Part of a Long Line of Hidden Tear Variants

The 'Recuperadados@protonmail.com' Ransomware functions very similarly to the RIP Ransomware and the CerberTear Ransomware, which are based on Hidden tear as well. Most Trojans that use the same encryption procedure tend to work identically but come in different packages and features different obfuscation layers. The subtle differences in code are created by malware developers to allow their programs avoid detection by standard AV scanners and heuristic detection techniques. We have received reports that the 'Recuperadados@protonmail.com' Ransomware is delivered to users via spam emails loaded with macro-enabled documents. The macro functionality is the preferred method to install ransomware on remote computers without triggering security alerts.

The 'Recuperadados@Protonmail.com' Ransomware is Programmed to Encipher Images and Documents

The creators of the 'Recuperadados@Protonmail.com' Ransomware programmed their Trojan to target data containers associated with images, spreadsheets, eBooks, PDFs and presentations. An analysis shows that the 'Recuperadados@Protonmail.com' Ransomware Trojan is likely to interrupt the work of PC users who engage in image manipulation and manage lots of documents. The encryption engine inside the 'Recuperadados@Protonmail.com' Ransomware uses the AES-256 cipher to lock data, and there are no chances to recover your files without access to the correct decryption tool. Affected files feature the '.BLOQUEADO' extension and are listed in the Windows Explorer as white icons. For example, 'Le Mont Aigulle.jpeg' is transcoded to 'Le Mont Aigulle.jpeg' and the original file is deleted. A decryptor is offered via the ransom notification '-[AVISO-IMPORTANTE]-.txt,' which is Portuguese for 'IMPORTANT-WARNING.' Evidently, the 'Recuperadados@Protonmail.com' Ransomware is aimed at Portuguese speaking users from countries like Angola, Brazil, Cape Verde, Guinea-Bissau, Mozambique and Portugal.

PC Users are Invited to Buy a Decryption Tool for a Mere $1,500

Threats like the 'Recuperadados@Protonmail.com' Ransomware Trojan can corrupt data on removable drives, local drives, and network shares that are not protected. However, ransomware is ineffective against users who have access to backup images and can revert to older versions of their documents. Experts dot not encourage paying the ransom since the operators behind the 'Recuperadados@Protonmail.com' Ransomware are not likely to hold their end of the deal and can simply switch to using another email address and a new encryption Trojan. Computer users are advised to create backups regularly and save copies of their documents to unmapped drives and cloud storage services like the Google Drive and the Microsoft's OneDrive. You will need a trusted anti-malware scanner to remove all traces from the 'Recuperadados@Protonmail.com' Ransomware safely.