Carver Ransomware

Infosec researchers have discovered a malicious program known as Carver. The Carver Ransomware belongs to the ransomware category, which means that its primary purpose is to encrypt the victim's data and then demand ransom for the supposed restoration of the files.

If executed on the infected devices, the malware successfully encrypts files and modifies their filenames. Specifically, the original filenames were appended with a unique ID, the email address of the cyber criminals, and a '.Carver' extension. For example, a file previously named '1.doc' would appear as '1.doc.id[9ECFA84E-3455].[ineedatool@rape.lol].Carver.'

Once the encryption process is completed, Carver Ransomware will deliver two ransom notes, namely 'info.hta' in the form of a pop-up window and 'info.txt' as a text file. These notes contain instructions on how to pay the ransom and obtain the decryption key. It is important to note that Carver Ransomware is part of the infamous Phobos malware family.

Victims of the Carver Ransomware are Extorted for Money

The text file generated by the Carver ransomware simply informs victims that their data has been encrypted and provides instructions for contacting the attackers. Meanwhile, the pop-up window message provides more details about the decryption process. Specifically, it informs victims that they will need to pay a ransom in Bitcoin cryptocurrency to obtain the decryption key. However, the message does not specify the exact amount of the ransom but indicates that it may depend on how quickly the victim contacts the cybercriminals. Before making any payment, victims are given the option to test the decryption process within certain specifications free of charge.

The message in the pop-up window also warns against renaming the encrypted files or using third-party decryption tools, as doing so will render the data undecryptable. Based on our extensive analysis and research of thousands of ransomware infections, we can infer that decryption is typically impossible without the involvement of the attackers. The only exception might be if the ransomware is deeply flawed or still in development.

Furthermore, even if the ransom is paid, victims may not receive the promised decryption keys or software. Therefore, we strongly advise against paying the ransom and unintentionally supporting this illegal activity.

Protecting Your Devices against Threats Like the Carver Ransomware is Crucial

Ransomware infections can be devastating for users, as they can result in the loss of important data and financial losses. To protect their devices from ransomware, users can take several security measures. One of the most important measures is to keep their devices up to date with the latest security patches and updates. This will ensure that any vulnerabilities in the device's operating system or software are fixed, making it more difficult for ransomware to exploit them.

Another essential measure is to skip clicking on doubtiful links or downloading files from untrusted sources. Ransomware often spreads through malicious email attachments or links, so users should exercise caution when opening emails from unknown senders or clicking on links in emails. They should also use antivirus software to scan their devices for malware and keep it up to date with the latest virus definitions.

It's also crucial to regularly back up essential data and files to an external drive or cloud storage service. This can help users recover their data in case it gets encrypted by ransomware. Additionally, users should create strong passwords and enable two-factor authentication to secure their accounts.

Overall, protecting against ransomware requires a combination of preventative measures, such as updating software, avoiding suspicious links and attachments, and using antivirus software, as well as reactive measures, such as backing up essential data and files. By taking these steps, users can significantly reduce their risk of falling victim to a ransomware attack.

The ransom-demanding message presented in a pop-up window is:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail ineedatool@rape.lol
Write this ID in the title of your message -
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The text file contains the following message:

!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: ineedatool@rape.lol.'