APT14CHIR Ransomware
Cybersecurity researchers classify APT14CHIR as a ransomware threat. Its primary function is to encrypt files, which renders them inaccessible to their owners. In addition, APT14CHIR also alters the names of the files that it encrypts by replacing their original filenames with a sequence of random characters and appending the '.APT14CHIR' extension.
As an example, the APT14CHIR Ransomware may change the name of a file like '1.png' to '46bHrwLR0CmRGarY.APT14CHIR,' while '2.doc' could be renamed to 'qoMCVWgi0Vm27mcu.APT14CHIR.' Moreover, APT14CHIR creates a ransom message in the form of a text file named 'PLEASE READ.txt' to inform victims that their files have been encrypted and to provide instructions on how to pay a ransom to obtain the decryption key.
The APT14CHIR Ransomware Leaves Victims with a List of Demands
The ransom note left by the attackers clearly states that the victim's crucial files have been completely encrypted with a combination of AES and RSA encryption algorithms, making them inaccessible to the rightful owner. The note also warns the victims not to attempt to restore the files using third-party software, as this could lead to permanent data loss or further modification of the encrypted files.
Furthermore, the note goes on to claim that the attackers are the only ones with the capability to solve the problem and there are no decryption tools available online to help with the process. This puts the victims in a difficult position, where they have to rely on the attackers' willingness to provide the decryption key in exchange for a ransom payment.
The note also highlights that the attackers have uploaded all of the victim's highly confidential and personal data, as well as a copy of their main servers to a private storage location. The attackers threaten to destroy this data only after they have received the requested ransom amount. However, if the victim chooses not to pay the ransom, the cybercriminals threaten to make the data public, which could be disastrous for the victim's reputation.
The attackers claim that they only want money and do not intend to harm the victim's reputation or business. To obtain more information about the necessary actions to decrypt the files, the victim is directed to contact the perpetrators via the email addresses 'martin_catch_ithelp@tutanota.com' and 'martin_catch_ithelp@proton.me' or through the qTox messenger.
How can Users Mitigate the Damage of Attacks by Threats like the APT14CHIR Ransomware?
Ransomware attacks are becoming increasingly common, and their impact can be devastating. However, there are several measures that users can take to mitigate the damage caused by these attacks.
Firstly, ensure that regular backups of essential data are made and stored in a secure location that is not connected to the Internet. This will help to ensure that if data is encrypted, it can be easily restored from the backup and the victim doesn't need to pay the ransom.
Secondly, users should be cautious when opening emails or clicking on links from unknown or suspicious sources. Ransomware is often distributed through phishing emails, and clicking on an unsafe link or opening a compromised attachment can result in the ransomware infecting your computer.
It is crucial to keep software and operating systems up-to-date, as ransomware often exploits vulnerabilities in older versions of software. Regularly updating software and implementing security patches will help to mitigate this risk.
Users also should strongly consider using anti-malware software and firewalls, which can help to detect and prevent ransomware attacks. These tools can identify and block suspicious activity, preventing the malware from gaining access to your computer.
Finally, in the event of a ransomware attack, users should avoid paying the ransom. This only encourages cybercriminals and provides them with the resources to continue their illegal activities. Instead, users should seek the assistance of cybersecurity experts who may be able to help recover the encrypted data or remove the malware from the infected system.
The full text of APT14CHIR's ransom note is:
'HELLO, YOUR COMPANY NETWORK HAS BEEN PENETRATED
All your important files have been encrypted!Your files NOT DAMAGE! Only fully modified. (RSA+AES)
They are encrypted with a strong unique aes encryption algorithm.ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.No software available on internet can help you. We are the only ones able to
solve your problem.We uploaded all highly confidential/personal data and copy main servers.
These data are currently stored on a private storage.
This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller, competitors, local government representative, judiciary, blackmail and attack intermediary
So you can expect your data to be publicly available in the near future..We only seek money and our goal is not to damage your reputation or prevent
your business from destroy.For more information and decryption keys, please contact us:
Martin_Catch_ITHELP@tutanota.com
Martin_Catch_ITHELP@proton.meYou will be provided with all the information about the necessary actions to fully decrypt your files.
You can also contact us using the qTox messenger, it will be much faster, support is available 24/7.
You can download from the link, or find the application yourself:Contact qTox 24/7:
5EF883DC37F4C2F5C3591E88A2473971C28BA76093C91055AA8B8A1D700CDF523B1F961EAA7CYour personal id:
APT14CHIR'
