Cip Ransomware
Infosec researchers have identified another destructive ransomware threat that is part of the Dharma ransomware family. Called Cip Ransowmare, the threat follows closely the typical Dharma behavior without exhibiting any significant deviations. The damage it can cause to the infected computer systems is not to be underestimated, though.
Cip utilizes a strong encryption algorithm to lock nearly all of its victim's files. Affected users will be prevented from accessing or using in any way their documents, PODFs, archives, databases, pictures, photos, audio and video files, etc. During the encryption process, Cip Ransomware will also modify the names of the targeted files. The threat sticks to the usual Dharma naming pattern by first appending a character string that acts as the victim's ID. Next, Cip appends an email address controlled by its operators. Finally, '.cip' will be added as a new file extension.
Victims will be left with two ransom notes containing instructions from the attackers. One will be placed on the compromised system's Desktop as a text file named 'info.txt.' The other note will be displayed in a new pop-up window.
Cip Ransomware's Demands
The goal of the threat is to extort money in exchange for the restoration of the victim's data. Both of its ransom notes, however, lack many of the crucial details observed in other ransomware threats. The messages fail to mention the amount of the demanded ransom, if the funds need to be transferred using a specific cryptocurrency, or if the attackers are willing to demonstrate their ability to decrypt the data by unlocking a couple of files for free.
Instead, the note in the text file lists the two emails that victims can use for communication - 'ciphercrypt@tuta.io' and 'cipherc@onionmail.org.' The instructions in the pop-up window are not that much helpful. They simply contain a section with various warnings such as not renaming the encrypted files or running third-party decryptors as that could damage the data and render the files unsalvageable.
The pop-up message is:
YOUR FILES ARE ENCRYPTED
1024
Don't worry, you can return all your files!
If you want to restore them, write to the mail: ciphercrypt@tuta.io YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:cipherc@onionmail.org
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The note found inside the text file is:
all your data has been locked us
You want to return?
write email ciphercrypt@tuta.io or cipherc@onionmail.org
