Atchbo Ransomware
The Atchbo Ransomware is an encryption ransomware Trojan that was first observed in early October 2017. The Atchbo Ransomware carries out a typical encryption ransomware Trojan attack, encrypting the victim's files using a strong encryption method and then demanding the payment of a fee in exchange for the software necessary to restore the affected files. The Atchbo Ransomware belongs to an already existing family of ransomware Trojans, the same from which the ExoLock Ransomware originates. This is a ransomware Trojan that was observed only a few weeks before the release of the Atchbo Ransomware. It is likely that the Atchbo Ransomware is part of a larger campaign that may involve several other ransomware Trojans being released to the public.
Table of Contents
The Atchbo Ransomware and Similar Ransomware Trojans
The Atchbo Ransomware uses the AES 256 encryption to make the victim's files inaccessible. The Atchbo Ransomware encrypts the victim's files and deletes the Shadow Volume Copies on the infected computer, with the purpose of taking the victim's files hostage and preventing the victim from using alternate methods to restore the affected files. The Atchbo Ransomware seems to run on infected computers as an executable file named 'Atchbo Ransomware2.0v.exe.' The Atchbo Ransomware will mark the encrypted files by adding the file extension '.exo' to the end of each infected file's name. Once the Atchbo Ransomware encrypts a file, it will show up on Windows Explorer as a blank icon, since Windows will no longer recognize the file's contents. The Atchbo Ransomware targets the user-generated files in its attack. The following are examples of the file types that are targeted by the Atchbo Ransomware:
3g2, .3gp, .asf, .asx, .avi, .flv, .m2ts, .rm, .jpg, .tar.gz, .gif, .sqlite3, .html, .txt, .tar, .jpeg, .swf, .mkv, .mov, .vob, .png, .mp3, .pyc, .php, .log, .jar, .sh, .tiff, .mp4, .wmv, .docx, .mpg, .mpeg, .pdf, .rar, .zip, .7z, .exe, .c, .sql, .bak, .bundle, .cpp, .deb, .h, .pdf.
The Small Ransom Demanded by the Atchbo Ransomware
The Atchbo Ransomware delivers its ransom note in a way typical of these infections, dropping a text file on the infected computer. The Atchbo Ransomware's ransom note is contained in a text file named 'UnlockYourFiles[0-49].txt' that is dropped on the infected computer's desktop an several locations on the infected computer. The following is the full text of the Atchbo Ransomware ransom note:
'All files have been infected
Get decrypt your files in 4 steps
1.Go to "www[.]anycoindirect[.]eu/en/buy/bitcoins"
2.Pay 0.007 bitcoins to the BITCOIN Address in one of the Desktop Text Files
3.Once confirmed your files will be decrypted
4. And you can ENJOY your computer.'
The Atchbo Ransomware's ransom payment of 0.007 Bitcoin (approximately USD 35) is not particularly high, especially compared to the ransomware Trojans that demand payments of hundreds or thousands of dollars. However, PC security researchers do not recommend that computer users pay the Atchbo Ransomware ransom. Besides the fact that it is very unlikely that the crooks will keep their word and provide the decryption software after the payment is made, paying these ransoms places a target on the victim's back since the victim has now shown a willingness to pay the ransom. It is very common for con artists to continue demanding ever-increasing payments or target that particular victim with other threat attacks after the ransom payment.
Dealing with the Atchbo Ransomware
The best way to deal with the Atchbo Ransomware and similar threats is to use backup copies to restore the affected files. Unfortunately, when the Atchbo Ransomware encrypts a file, it cannot be decrypted without the decryption key. A combination of file backups and a reliable security program are the best solution to an Atchbo Ransomware infection.