CLEAN Ransomware
By analyzing the code and behavior of the CLEAN Ransomware, infosec researchers have determined that the threat is a variant from the Dharma Ransomware family. CLEAN operates as expected from a Dharma threat. It tries to infiltrate the targeted computer systems, initiates an encryption routine, and locks the data stored there. Afterward, the attackers try to extort the victims for money by promising to send them the required decryption key and tool, but only if they are paid the demanded ransom.
When the CLEAN Ransomware locks a file, it also changes that file's original name drastically. This is a common behavior observed in Dharma variants. The affected files will have a string representing the unique ID of the victim, an email address, and '.CLEAN' added to their names. The email address used by the CLEAN Ransomware is 'clean@onionmail.org.' The next step of the threat is to deliver its ransom note. It does so in two separate ways. One involves creating a text file named 'FILES ENCRYPTED.txt' while the other displays a message in a pop-up window.
CLEAN Ransomware's Demands
In a typical Dharma fashion, CLEAN Ransomware's notes lack most of the vital details that users would need to see. The text file contains only a couple of sentences that simply tell victims to message either 'clean@onionmail.org' or 'clean@privyinternet.com,' email addresses under the control of the hackers. Although the note displayed in the pop-up window is longer, it is not that useful, either. It reiterates the same two emails but has an added section with various warnings, such as changing the names of the encrypted files could cause permanent damage.
The text file's message is:
'all your data has been locked us
You want to return?
write email clean@onionmail.org or clean@privyinternet.comThe pop-window shows the following instructions:
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email clean@onionmail.org YOUR ID -
If you have not been answered via the link within 12 hours, write to us by e-mail:clean@privyinternet.com
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
