Alkhal Ransomware

The Akhal Ransomware is a new threat that infosec researchers have detected in the wild. Like most malware of this type, Alkhal uses a strong encryption algorithm to lock the files stored on the compromised system. The attackers then proceed to extort their victims for money. However, unlike the vast majority of ransomware, this threat doesn't modify the names of the encrypted files in any way and leaves them intact. As for the instructions for the victims, it delivers an identical ransom note as an image file - 'Recovery.bmp,' and as a text file - 'ReadMe.txt.'

Alkhal Ransomware's Demands

Despite its length, the ransom note still leaves out several important details, such as the exact amount of the ransom victims will have to pay. It does set up a few requirements, though. First, the funds must be transferred using the Bitcoin cryptocurrency and the total sum of the ransom will increase each day by an unspecified amount. After two weeks have passed, the hackers state the encrypted files will be deleted.

To reach out to the attackers and receive more instructions, victims are told to contact the two email addresses found at the end of the ransom note - 'alkhal@tutanota.com' and 'cyrilga@tutanota.com.' Two encrypted files can be attached to the message and will supposedly be unlocked and returned for free. The files must be less than 5MB in unarchived form and should not contain any important information.

The full text of the note is:

'Gentlemen!

Your business is at serious risk .
There is a significant hole in the security system of your company.
We have easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.

All files on each host in the network have been encrypted with a strong algorithm
No one can help you to restore files without our special decoder.

If you want to restore your files write to emails (contacts are at the bottom of the sheet )
and attach 2 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc. ))
You will receive decrypted samples and our conditions how to get the decoder.
Please don't forget to write the name of your company in the subject of your e-mail.

You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional BTC
Nothing personal just business

As soon as we get bitcoins you'll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security
and how to avoid such problems in the future

we will recommend you special software that makes the most problems to hackers.

Attention! One more time !

Do not rename encrypted files.
Do not try to decrypt your data using third party software.

P.S. Remember, we are not scammers.
We don't need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty - decrypted samples.

Contact email
alkhal@tutanota.com
cyrilga@tutanota.com'