Threat Database Ransomware Cipher (Proton) Ransomware

Cipher (Proton) Ransomware

With the rise of increasingly sophisticated ransomware attacks, protecting your devices from malware threats has become more critical than ever. Ransomware, a particularly destructive type of malware, locks down vital data by encrypting it and then asks for a ransom in exchange for the decryption software. A newly discovered variant called the Cipher (Proton) Ransomware has emerged, adding to the list of threatening ransomware families targeting both individuals and organizations. Understanding how this ransomware operates and implementing strong security measures is essential for keeping your systems safe.

What Is the Cipher (Proton) Ransomware?

The Cipher (Proton) Ransomware is a fresh strain of ransomware that belongs to the notorious Proton Ransomware family. It should not be confused with older ransomware, also tracked as Cipher, as this is a separate and newer threat. Like many other ransomware variants, the Cipher (Proton) encrypts data on the victim's system, rendering files inaccessible. Victims are then forced to pay a ransom in exchange for the possibility of retrieving their files, although there's no guarantee of recovery even after payment.

Once the ransomware is deployed on a compromised system, it begins encrypting files and appending their filenames with a unique identifier. Typically, this identifier includes the attackers' email address, followed by the '.cipher' extension - a file that was originally named 1.png would appear as 1.png.[watchdogs20@tuta.io].cipher after encryption.

Ransom Notes and Communication

After completing the encryption process, the Cipher (Proton) Ransomware displays ransom notes in various forms:

  • A full-screen message appears before the log-in screen, preventing users from accessing their devices until the ransom is addressed.
  • A desktop wallpaper is changed to a ransom message.
  • A text file named '#Read-for-recovery.txt' is placed in various directories across the system.

These notes differ from the typical ransomware messages that explicitly explain the encryption and decryption process. Instead, the instructions are simple and only urge the victims to contact the attackers using the provided email address. However, this lack of detail does not reduce the severity of the attack, as victims are still expected to negotiate with the cybercriminals to regain access to their data potentially.

The Dangers of Paying the Ransom

Victims of ransomware attacks, including those hit by the Cipher (Proton) Ransomware, should be aware that the ransom's payment does not guarantee file recovery. Cybercriminals often do not provide the decryption keys even after receiving payment. In many cases, victims are left without their files and are simply funding further criminal activities.

Moreover, the payment of a ransom encourages cybercriminals to continue their illicit operations, targeting more victims and refining their tactics. While some ransomware may have flawed encryption that can be bypassed, this is rare, and typically, external intervention by attackers is required for decryption. Therefore, it is recommended not to comply with ransom demands, as doing so may not resolve the issue and will perpetuate the cycle of cybercrime.

Best Security Practices to Defend against Ransomware

To protect against ransomware like Cipher (Proton), users must adopt strong security practices that reduce the likelihood of infection and minimize the damage in case of an attack. Below are some of the most effective strategies:

  1. Regular Backups: Frequent backups of vital data are essential to mitigate the damage caused by ransomware. By maintaining offline or cloud backups, you ensure that enciphered files can be restored without paying the ransom. Ensure that backups are stored in secure, separate locations to prevent them from being targeted by the ransomware itself.
  2. Keep Software and Operating Systems Updated: A ransomware often abuses vulnerabilities in outdated software and operating systems. Regular updates and patch management help protect against known security flaws. Keeping your firmware, operating system and applications up-to-date can prevent ransomware from exploiting weaknesses in your system.
  3. Use Strong, Up-to-Date Anti-malware Solutions: An up-to-date anti-malware solution can detect and block ransomware before it has a chance to execute. Modern anti-malware tools offer real-time scanning and ransomware protection that can isolate and neutralize threats before they spread. Regularly scan your system to identify potential risks and ensure the software has the latest virus definitions.
  4. Limit User Privileges: Restricting user privileges is crucial for reducing the risk of infection. Ensure that users only have the access levels they need to perform their tasks. Enact the rule of least privilege to prevent ransomware from gaining administrative control over your system, which can significantly limit the extent of damage in case of an infection.
  5. Implement Network Segmentation: In corporate or large-scale environments, network segmentation can diminish the spread of ransomware. By isolating critical systems and sensitive data into different network segments, you reduce the ability of ransomware to move laterally across the network.
  6. Disable Macros and Script Execution in Email Attachments: Ransomware often spreads via fraudulent email attachments containing macros or scripts. Disable macros by default and ensure that email clients are configured to block potentially dangerous file types, such as .exe and .js. Train users to recognize phishing emails and avoid accessing suspicious links or downloading unknown attachments.
  7. Enable Multi-Factor Authentication (MFA): MFA adds a complementary layer of security to your accounts, which will make it harder for attackers to obtain unauthorized access. Even if your credentials are compromised, MFA ensures that a second form of verification is required, reducing the likelihood of ransomware spreading through remote desktop protocol (RDP) or other network services.

The Cipher (Proton) Ransomware poses a serious threat to anyone who falls victim to it, with the potential to lock down critical files and demand a ransom that offers no guarantee of resolution. By understanding how this ransomware operates and implementing strong security practices, users can significantly reduce the prospect of infection and minimize the impact of any attack.

The key to protecting against ransomware lies in prevention, preparation and vigilance. Regular data backups, up-to-date security software, and mindful user practices are the cornerstone of an effective defense strategy. Taking dynamic steps will help ensure that your data remains secure in the face of emerging threats like the Cipher (Proton) Ransomware.

The ransom note left to the victims of Cipher (Proton) Ransomware is:

'Email 1:
watchdogs20@tuta.io

Email 2:
watchdogs20@cock.li

Send messages to both emails at the same time

So send messages to our emails, check your spam folder every few hours

ID:
If you do not receive a response from us after 24 hours, create a valid email, for example, gmail,outlook
Then send us a message with a new email'

The message shown during log-in and as a desktop background image is:

'Email us for recovery: watchdogs20@tuta.io
In case of no answer, send to this email:
watchdogs20@cock.li
Your unqiue ID:'

Trending

Most Viewed

Loading...