Calix Ransomware
Malware researchers have detected a Phobos Ransomware variant that is lurking in the wild. Called the Calix Ransomware, the threat is capable of causing significant damage to any computer it manages to infect. The Calix Ransomware achieves its destructive potential via an encryption process that locks all of the most widely used filetypes - documents, PDFs, photos, audio, video, databases, archives, etc. The malware then extorts its victims for money in exchange for the potential restoration of the data.
Calix Ransomware's Details
Despite being just another variant in the Phobos Ransomware family, the Calix Ransomware shouldn't be underestimated. The strong encryption algorithm it employs ensures that any affected files will remain inaccessible and unusable. The threat modifies the original names of the files it encrypts significantly. A unique ID string assigned to the victim, followed by an email address, and finally, a new file extension will be appended to the original filenames. The email address of the hackers is 'painplain98@protonmail.com,' while the new extension for the files is '.calix.' When all of the targeted files on the breached system are encrypted, the Calix Ransomware will drop its ransom notes. The main message will be displayed in a pop-up window generated from an 'info.hta' file, while a shorter version will be delivered inside an 'info.txt' file.
Neither of the notes mentions the exact sum demanded by the cybercriminals. However, the pop-up window clarifies that the ransom will depend on the time it takes Calix Ransomware's victims to initiate contact. The money must be transferred using the Bitcoin cryptocurrency. Both notes reiterate the 'painplain98@protonmail.com' email address but they also provide a secondary one at 'patern32@protonmail.com' that should be used in case 24 hours pass without receiving an answer.
The email message must contain the ID string found inside the note and can have up to 5 encrypted files attached to it. The files shouldn't exceed a combined size of 4MB. The hackers will supposedly decrypt and then return the unlocked files to the victim.
The full text of ransom note displayed in the pop-up window is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail painplain98@protonmail.com
Write this ID in the title of your message 1E857D00-2451
In case of no answer in 24 hours write us to this e-mail:patern32@protonmail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The instructions inside the text file are:
'!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: painplain98@protonmail.com.
If we don't answer in 24h., send e-mail to this address: patern32@protonmail.com.'
