Baxter Ransomware

Like most ransomware, the goal of the cybercriminals behind the Baxter Ransomware is to infect the users' computers and then let their ransomware creation encrypt the data stored there. Users will find themselves unable to access any of their files - documents, PDFs, archives, databases, pictures, photos, etc. The Baxter Ransomware is a new threat from the VoidCrypt Ransomware family.

All encrypted files will have their names modified drastically. The Baxter Ransomware follows a complex naming pattern - it appends an email address(karusjok@gmail.com), followed by a random string, and finally '.baxter' as a new file extension. Upon completing the file encryption, the threat will then deliver its ransom note. The instructions from the hackers will be placed inside text files named 'Decrypt-info.txt.'

According to the note, the most important step that Baxter Ransomware's victims must do is to find a file named 'prvkey*.txt.key' (the asterisk might be a number in the specific file). The location for that file is supposed to be C:\ProgramData\. Tampering with this file in any way could render the encrypted files unsalvageable. After locating the file, users are told to send it via the provided email address - 'karusjok@gmail.com,' or telegram account - '@karuus.' Baxter Ransomware's victims can also send a single locked file that will then supposedly be decrypted for free. 

The full text of the ransom note dropped by the threat is:

'All Your Files Has Been Encrypted

You Have to Pay to Get Your Files Back

1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key)
2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data
3-Payment should be with Bitcoin
4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss

Our Email:karusjok@gmail.com
in Case of no Answer:telegram id: @karuus'