Threat Database Ransomware BACKJOHN Ransomware

BACKJOHN Ransomware

Cybersecurity researchers have come across a new dangerous malware threat tracked as BACKJOHN. The ransomware has been observed to encrypt data, modify the filenames of all encrypted files, and create two ransom notes in the form of 'info.hta' and 'info.txt' files. BACKJOHN's code and behavior indicate that the threat is part of the Phobos ransomware family.

The ransomware is observed to create a victim's ID for each breached device and append it to the names of all encrypted files. In addition, BACKJOHN adds an email address belonging to the attackers and a '.BACKJOHN' extension to the original file names. For example, it changes '1.doc' to '1.doc.id[9ECFA84E-3143].[backjohn131@gmail.com].BACKJOHN,' and '2.jpg' to '2.png.id[9ECFA84E-3143].[backjohn131@gmail.com].BACKJOHN,' and so on. The email address used by BACKJOHN for communication is 'backjohn131@gmail.com.'

BACKJOHN Ransomware Renders Most Files Unusable

The ransom note left by the BACKJOHN ransomware instructs the victim to contact the attacker at the email address backjohn131@gmail.com, with a specific ID included in the message title. If the attacker does not respond within 24 hours, the victim is directed to send a message to backjohn@tutanota.com.

The attacker demands payment in Bitcoins in exchange for the decryption of the victim's files, with the amount depending on how quickly the victim contacts the attacker. As a guarantee before payment, the note offers free decryption of up to five files, with restrictions on file size and type.

Additionally, the note warns the victim against renaming the encrypted files or attempting decryption with third-party software, as this may result in permanent data loss or increased ransom costs. The attacker has set up clear instructions for the victim to follow, with consequences for non-compliance.

Protecting Your Data from Ransomware Threats is Crucial

To safeguard their devices and data from ransomware attacks, users can implement a combination of preventive and reactive measures. These measures involve raising awareness, taking precautions, and being prepared to respond to potential threats.

Preventive measures include keeping software and operating systems updated, using anti-virus and anti-malware software, and being cautious when downloading files or clicking on links in emails or messages. Users should also avoid opening suspicious attachments or emails from unknown senders and should use strong passwords and multi-factor authentication when available.

In addition to preventive measures, users should also be prepared to respond to potential attacks. This involves regularly backing up important data to an external source and testing backup recovery processes to ensure they are functional. Users should also have a plan in place for responding to ransomware attacks, including knowing who to contact and what steps to take in the event of an attack.

Lastly, raising awareness among family, friends, and coworkers can help to prevent the spread of ransomware attacks. Educating others about the risks associated with ransomware attacks and how to identify and respond to them can go a long way in safeguarding not only individual devices and data but entire networks and systems as well.

The full text of BACKJOHN Ransomware's ransom-demanding message is:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail backjohn131@gmail.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:backjohn@tutanota.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The text file dropped by the threat contains the following message:

!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: backjohn131@gmail.com.
If we don't answer in 24h., send e-mail to this address: backjohn@tutanota.com

Trending

Most Viewed

Loading...