Cipher Ransomware
The Cipher Ransomware can be deployed as part of attack operations to lock the data of targeted victims. Ransomware threats can typically be against individual users, as well as corporate entities. The specific targets will mostly depend on the attack type carried out by the cybercriminals. In both cases, the encryption used to lock the files found on the infected devices is strong enough to make restoration of the data without the proper decryption keys practically impossible.
As for the Cipher Ransomware specifically, the threat has been confirmed to be a variant of the MedusaLocker malware family. It affects a large number of different file types and appends '.cipher' to their names as a new extension. A ransom note will be delivered to the desktop of the breached computers in the form of an HTML file named '!-Recovery_Instructions-!.html.'
The ransom message of Cipher Ransomware's operators reveals that they are primarily focused on extorting companies. According to their claims, various, sensitive data has been exfiltrated from the victims' devices and is now available to the threat actors. If victims do not contact the attackers within 72 hours to start the negotiations process, their confidential data will supposedly be leaked to the public. The ransom note mentions two possible communication channels - via the Tox chat client and the 'Mikesupp77@outlook.com' email address.
The full text of Cipher Ransomware's demands is:
'If you get this message, your network was hacked!
After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.
We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.
Make sure to act within 72 hours or the negotiations will be considered failed!
Inform your superior management about what's going on.
Contact us for pricing and decryption software.
Contact us by email:
Mikesupp77@outlook.com
If you do not receive a response within 24 hours, please contact us at our additional contacts:
1) Download for TOX CHAT hxxps://tox.chat/download.html2) Open chat
Add ID Chat:
3C9D49B928FDC3C15F0314217623A71B865909 B308576B4B0D10AEA62C98677B4A3F160D5C93
If we did not answer you, leave the chat enabled, the operator will contact you!To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.
Attach file to the letter (no more than 5Mb).
If you and us succeed the negotiations we will grant you:
complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.
comprehensive information about vulnerabilities of your network and security report.
software and instructions to decrypt all the data that was encrypted.
all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.
Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:
inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.
inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.
start DDOS attack on you website and infrastructures.
personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.
publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.
Why pay us?
We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.
Your personal ID
Your ID:'
