BITCOINPAYMENT Ransomware
A variant of the Phobos malware family, the BITCOINPAYMENT Ransomware targets the data of its victims and renders it unusable via a strong encryption routine. The operators of the threat will then attempt to extort the affected users or companies for money. It should be noted that although the BITCOINPAYMENT Ransomware doesn't exhibit any significant improvements or modifications when compared to the other Phobos variants, its destructive potential should not be underestimated.
In general, the BITCOINPAYMENT Ransomware follows the established Phobos behavior. It modifies the names of the encrypted files by adding an ID string, an email address and a new extension to them. The ID string is generated for each victim, while the email address and the extension are 'cleverhorse@protonmail.com' and '.BITCOINPAYMENT.' When all targeted data has been locked by the threat, the BITCOINPAYMENT Ransomware will proceed to drop two files on the breached device, named 'info.hta' and 'info.txt.'
The text file contains instructions on how the affected victims can contact the attacker's Jabber account to receive further details. It also mentions that up to 3 encrypted files with a total size of less than 10MB can be sent to be decrypted for free. However, the full ransom note is displayed in a pop-up window generated from the hta file. Here, the cybercriminals clarify that only payments made using the Bitcoin cryptocurrency will be accepted. As for the size of the demanded ransom, it will apparently be based on the time it takes the victims to establish contact.
The full text of the message shown as a pop-up window is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail cleverhorse@protonmail.com
Write this ID in the title of your message -
If there is no response from our mail, you can install the Jabber client and write to us in support of cleverhorse@xmpp.jp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.Free decryption as guarantee
Before paying you can send us up to 1-3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Jabber client installation instructions:
Download the jabber (Pidgin) client from hxxps://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click "Add"
In the "Protocol" field, select XMPP
In "Username" - come up with any name
In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im
Create a password
At the bottom, put a tick "Create account"
Click add
If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - hxxps://www.youtube.com/results?search_query=pidgin+jabber+installAttention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.The text file contains the following instructions:
Want return your files?Write to our xmpp account - cleverhorse@xmpp.jp
The easiest way - register here hxxps://www.xmpp.jp/signup
After download pidgin client hxxps://pidgin.im/
Press Add account,choose protocol xmpp and put username from xmpp.jp where are you sign up
Domain - xmpp.jp
Put your password and press add
When you log in press Buddies --> Add Buddy-->and in Buddys username put cleverhorse xmpp.jp
After you will see added account cleverhorse@xmpp.jp,click twice on it and write your message
You can send us 1-3 test files. The total size of files must be less than 10Mb (non archived),
we will decrypt them and send to you that we are real
If you have a problem with xmpp you can write to our mail cleverhorse@protonmail.com.'
