Infosec researchers have uncovered a new dangerous ransomware threat that has been unleashed in the wild. Called Arch Ransomware, the threat has been classified as a variant belonging to the Makop ransomware family. Users infected with Arch Ransomware will find themselves effectively locked out from their own files. Indeed, nearly all files on computer systems compromised with the threat will be rendered inaccessible through an encryption routine employing strong cryptographic algorithms.
Arch Ransomware exhibits the usual traits associated with this type of malware. First, it encrypts the targeted filetypes, then it modifies the names of the affected files by appending to them a string of characters, followed by an email address under the control of the hackers, and finally a new file extension. The email address is 'email@example.com' while the extension is '.arch.' The next step is to drop the ransom note with instructions for the victims. The threat does so by creating text files named 'readme-warning.txt' in all folders containing encrypted data.
Arch Ransomware's note is structured as a FAQ, and according to it, the cybercriminals want to receive a ransom paid in Bitcoin if they are to send over the decryption software that could potentially restore the locked files. Affected users can initiate contact by messaging either of the two emails found in the note - one is the same as the email placed in the names of the encrypted files while the other is 'firstname.lastname@example.org.' To demonstrate their ability to decrypt the user's files, the hackers allow for up to two files to be attached to the email message. The files must not be databases and should be less than 1MB in size.
The full text of Arch Ransomware's note is:
::: Greetings :::
Q: Whats Happen?
A: Your files have been encrypted and now have the "arch" extension. The file structure was not damaged, we did everything possible so that this could not happen.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in bitcoins.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
Q: How to contact with you?
A: You can write us to our mailbox: email@example.com or firstname.lastname@example.org
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.