Credo Ransomware

The family of the Dharma Ransomware is one of the most active with hundreds of copies released the past two years. Many cybercriminals spawn copies of already existing threats as this is far less time-consuming and much easier than creating a data-encrypting Trojan from scratch, and this is the case with a new file-locker, the Credo Ransomware that belongs to the Dharma Ransomware family.

Propagation and Encryption

The Credo Ransomware is likely designed to go after a large array of filetypes, which includes .xls, .xlsx, .db, .zip, .rar, .midi, .mid, .mp3, .aac, .wav, .mp4, .mov, .webm, .mpeg, .doc, .docx, .txt, .pdf, .ppt, .pptx, .jpeg, .jpg, .svg, .gif, .png and others. This means that all your documents, audio files, images, presentations, databases, videos, archives, spreadsheets, and other filetypes will be targeted for encryption by the Credo Ransomware. Next, the Credo Ransomware applies an encryption algorithm to lock the targeted data. The locked files’ names will be changed because the Credo Ransomware appends a ‘.id-<VICTIM-ID>.[Recovery@qbmail.biz].credo’ extension. If a file were named ‘ice-cool.mov’ initially, the Credo Ransomware would rename it to ‘ice-cool.mov.id-<VICTIM ID>.[Recovery@qbmail.biz].credo.’ It is not fully clear how the Credo Ransomware is being propagated, but it is likely that the attackers are using torrent trackers, phishing emails, fake social media posts, fraudulent application updates, and downloads, malicious advertisements, and other distribution techniques.

The Ransom Note

When the Credo Ransomware is done encrypting the selected files, it will drop a ransom note on the infected system. The file containing the ransom message of the attackers is named ‘FILES ENCRYPTED.txt.’ The attackers do not define what the ransom fee is. It is likely that this information will be disclosed once the victim gets in touch with the Credo Ransomware authors. The attackers ask to be contacted via email – ‘Recovery@qbmail.biz.’

It is not advisable to get in touch with the attackers. Even if you pay the ransom fee they demand, they are not likely to provide you with the decryption tool you need to recover the damaged files. Make sure you remove the Credo Ransomware from your computer with a reliable PC security suite.