Aram Ransomware

Aram Ransomware Description

The Aram Ransomware is a new threat that has been classified as part of the VoidCrypt malware family. Although the threat doesn't display any meaningful deviations from a typical variant of the VoidCrypt Ransomware family, it still possesses vast potential for causing damage. If the Aram Ransomware is deployed on the targeted computer, successfully it engages in an encryption process with a strong cryptographic algorithm. As a result, numerous file types stored on the infected device will be locked and rendered unusable.

During the encryption, each locked file will have its name changed significantly. The Aram Ransomware appends an email address under the control of the attackers, followed by a random string assigned to the specific victim, and finally '.Aram' as a new file extension. The email address in question is 'dataunlock@criptext.com.'

When the encryption process is completed, Aram will drop a ransom-demanding message to the compromised device. The ransom note will be contained inside a text file named 'Decrypt-info.txt.'

Ransom Note's Overview

According to the Aram Ransomware note, the first action that the affected users should take is to locate a file named 'prvkey*.txt.key' where the * symbol could be substituted with a number in the actual file. Apparently, the information in this file is crucial for the restoration of the locked files, and without it, even the hackers will not be able to decrypt the data successfully. Normally, the file will be created in the C:\ProgramData\ location.

Other details mentioned in the note include the option to send a single locked file to the cybercriminals who promise to decrypt it for free. The only requirement is for the file to not contain any important information. To do so and to receive additional instructions, victims are supposed to message the two email addresses found in the note - 'dataunlock@criptext.com' and 'dataunlocks@criptext.com.' The ransom payment to the hackers should be done using the Bitcoin cryptocurrency.

The full text of the note is:

'All Your Files Has Been Encrypted

You Have to Pay to Get Your Files Back

Go to C:\ProgramData\ or in Your other Drives and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key)
ou can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data
Payment should be with Bitcoin
Changing Windows without saving prvkey.txt.key file will cause permanete Data loss

Our Email:dataunlock@criptext.com
in Case of no Answer:dataunlocks@criptext.com
'

Related Posts