Armage Ransomware

The Armage Ransomware is an encryption ransomware Trojan. These threats function by taking the victims' files hostage and then demanding a ransom payment from the victim. To do this, the Armage Ransomware and threats like it will use a strong encryption algorithm to encrypt the victim's files, thus making them inaccessible. Then, the Armage Ransomware will demand a ransom payment in exchange for the decryption key its victims will need to restore the affected files. The Armage Ransomware was first observed on July 23, 2018. The Armage Ransomware is being distributed through spam email messages currently. The victims will receive a phishing email of some sort containing an attached Microsoft Word file. The Armage Ransomware will be downloaded and installed by these file attachments, which use embedded macro scripts to introduce the threat onto the victim's computer.

How the Armage Ransomware Carries Out Its Attack

Once the Armage Ransomware has been installed onto the victim's computer, it will use the AES encryption to make the victim's files inaccessible. The Armage Ransomware will mark the files it encrypts by adding the file extension '.armage' to the affected file's name. Once the Armage Ransomware encrypts a file, it will become inaccessible without the decryption key. The Armage Ransomware targets the user-generated files, such as media files, images, documents, databases, archives, backups and many others. The files that threats like the Armage Ransomware will target in their attacks include:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The Armage Ransomware delivers its ransom note, which is a short note alerting the victim of the attack and demanding that the victim contact the criminals via email to obtain the decryption key. The Armage Ransomware delivers its note in a text file named 'Notice.txt' that is dropped on the infected computer. The Armage Ransomware's ransom note reads as follows:

'Your files was encrypted using AES-256 algorithm, write me to email: armagedosevin@aol.com to get your decryption key.
Your USERKEY: [128 random characters]'

One unique aspect of the Armage Ransomware is that it will delete quick access links and shortcuts, as well as libraries in the victim's computer, making the attack seems scarier than most, similar encryption ransomware Trojans.

Protecting Your Data from Threats Like the Armage Ransomware

You should take steps to protect your data from threats like the Armage Ransomware, which are becoming more common increasingly. The best safeguard against these attacks is to have file backups. Having file backups helps computer users restore their files quickly without having to contact the criminals. Computer users are instructed not to contact the criminals responsible for the Armage Ransomware, who will demand a ransom of several hundred US dollars, paid in Bitcoin, and not help restore files affected by the Armage Ransomware attacks even after the victim has paid the ransom amount.

SpyHunter Detects & Remove Armage Ransomware