COPAN Ransomware

Recently, a brand-new ransomware threat was spotted circulating the Web. It has been dubbed the COPAN Ransomware, and it appears to be a variant of the DCRTR-WDM Ransomware.

It is not yet confirmed with any certainty which infection vector may be at play in spreading the COPAN Ransomware, but it is being speculated that the propagation methods employed by the cyber crooks responsible for this threat may be spam email campaigns, infected pirated software and bogus application updates. The COPAN Ransomware will begin scanning the system, which it has infiltrated. The scan will determine the locations of the files, which will be targeted for encryption by the COPAN Ransomware. Then, the COPAN Ransomware will begin locking the data that was targeted. When a file is locked, its name will be changed. The COPAN Ransomware adds an extension at the end of the name of the newly locked files – ‘.COPAN.’ For example, a file, which you had named ‘gray-kitty.jpeg’ originally will be renamed to ‘gray-kitty.jpeg.COPAN’ when the attack is through. The next step is the dropping of the ransom note. The COPAN Ransomware has two separate ransom notes.

One is called ‘HOW TO DECRYPT FILES.txt’ and is in the shape of a text file. In it, the attackers have the audacity to call the victim ‘dear friend.’ They also give out an email address where the user is supposed to contact them – ‘acva@foxmail.com.’ The other ransom note is called ‘HOW TO DECRYPT FILES.hta’ and contains more information on how the victim can obtain Bitcoin so that they can pay the ransom fee (which is not specified). Interestingly enough, the Bitcoin address provided by the attackers also has been used in a variant of the Dharma Ransomware.

We advise you strongly to stay away from the creators of the COPAN Ransomware. A much safer approach would be to download and install a reputable anti-virus application and wipe the COPAN Ransomware off your system.