bH4T Ransomware
The bH4T Ransomware Ransomware is a new Dharma variant that displays few differences compared to the other threats from the same ransomware family. The two aspects that set the bH4T Ransomware apart the most are the unique extension it uses for the encrypted files and the email addresses provided by the hackers as points of contact. However, when it comes to functionality, the bH4T Ransomware may not have any meaningful modifications, but that doesn't detract from its offensive capabilities.
The bH4T Ransomware employs powerful cryptographic algorithms to effectively 'lock' the files stored on the compromised computer system. Users will no longer be capable of accessing or use their private or business-related files, as the threat targets audio, video, MS Office files, backups, spreadsheets, photos, archives, etc. The bH4T Ransomware Ransomware, as it is typical for the Dharma Ransomware variants, changes the names of the files it encrypts drastically. The malware appends to the original filename, a string of characters representing the specific victims' unique ID, followed by one of the criminals' email addresses, and finally, its particular extension. For the bH4T Ransomware specifically, the email placed in the file names is 'blackhat@iname.com' while the extension is '.the bH4T Ransomware.' The instructions to the victims are delivered in two separate forms - as text files named 'FILES ENCRYPTED.txt' and in a pop-up window displayed on the screen of the compromised system.
The text files contain a brief message, mainly telling the affected users to contact the hackers through the provided email addresses - 'blackhat@iname.com' and 'Inamehat@cock.li.' The pop-up window provides a bit more details. It mentions that the second email address should be used if the victims receive no response within 24 hours are sending an email to the first one. Furthermore, exactly one file can be attached to be decrypted for free, but it must not exceed 1MB in size. As for the price demanded by the criminals for the possible restoration of the encrypted data, apparently, it would be determined by how fast the victims establish communication.
The instructions found in the text files are:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail blackhat@iname.com
Write this ID in the title of your message C279F237
In case of no answer in 24 hours write us to theese e-mails:Inamehat@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
What is bH4T Ransomware, and How Did it get on my Computer?
The bH4T ransomware is a new variant of Dharma ransomware. The virus works like other earlier versions of Dharma ransomware. The virus modifies the base engine code on a computer and messes with files. A configurable version of Dharma is available on the deep web to allow people to create their own custom version of Dharma, which is why so many versions exist in the wild. It isn't much of a challenge to create a new strain of Dharma for anyone with the money. The ease at which Dharma can be obtained also means that it isn't always possible to know the group behind the attacks, which is the case with bH4T.
Viruses of this nature typically spread in similar ways—most viruses spread through infected files. The criminals behind viruses take popular Office formats and insert macro scripts into them. The scripts are written to install the virus on a computer. When someone opens the document, they are prompted to enable macros in order to see the contents correctly. The truth is that allowing macros begins the infection.
A similar infection method involves creating application bundles. People bundle popular software with viruses that are installed alongside the actual program. Be wary of applications included in a download package when you download freeware. Hackers also distribute the virus file by itself through executables, add-ons, patches, and other files.
Hackers routinely use phishing and social engineering tactics to trick people into thinking they are accessing legitimate content. Hackers use websites and phishing emails to send their viruses to targets. These websites and emails are designed to mimic official documents from legitimate companies with similar writing, designs, and domains. The virus can also spread through social media networks, chat rooms, and file-sharing websites.
