Cypher Ransomware
The Cypher Ransomware is an encryption ransomware Trojan that first appeared on the scene on February 21, 2019. The Cypher Ransomware targets English speakers, and most of its attacks are taking place in Europe and North America. The Cypher Ransomware is being delivered to victims through the use of spam email messages that include corrupted file attachments. These emails typically imitate an email message from a legitimate sender, such as Amazon or PayPal, and use a misleading language to trick the victim into opening an attached PDF or DOCX file. These files will often contain damaged embedded scripts that download and install the Cypher Ransomware onto the victim's computer.
Table of Contents
How the Cypher Ransomware Carries out Its Attack
Once the Cypher Ransomware is installed, the Cypher Ransomware will run in the background to carry out its attack. The Cypher Ransomware's purpose is to make the victim's files inaccessible, essentially taking them hostage. The Cypher Ransomware then demands the payment of a ransom in exchange for returning access to the corrupted files. The Cypher Ransomware will use the AES 256 encryption to encrypt the user-generated files such as photos, audio, databases, and numerous document types in its attack. The Cypher Ransomware will try to encrypt everything that is not a legitimate Windows system file (which it needs to be able to demand a ransom payment from the victim). The following are some of the file types that are typically encrypted in ransomware attacks like the Cypher Ransomware:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
Each file the Cypher Ransomware encrypts will be renamed. The Cypher Ransomware will modify the enciphered files' names by adding the file extension '.cypher' to them.
The Cypher Ransomware’s Ransom Demand
The Cypher Ransomware delivers its ransom note in an HTML file named 'HOW_TO_DECRYPT_FILES.html' and a text file named 'readme_decrypt.txt.' The first of these files leads victims to a website hosted on the Dark Web. The text file contains the following message:
'ID: [RANDOM CHARACTERS]
[Cypher|written in ASCI style]
Hello, unfortunately all your personal files have been encrypted with military grade encryption and will be impossible to retrieve without acquiring the encryption key and decrypting library.
1. Send 1 BTC to [RANDOM CHARCTERS]
2. Contact email ransomwaredecrypt@gmail.com
3. Decrypt the file'
The purpose of these notes is to demand the payment of a ransom of 1 Bitcoin, nearly 10,000 USD at the current exchange rate, to decrypt the files. Malware researchers strongly advise computer users against contacting the people responsible for this attack or following the instructions in the Cypher Ransomware's ransom note. It is very unlikely that these people will help recover the files, and paying the ransom allows them to continue executing these attacks.
Protecting Your Data from Threats Like the Cypher Ransomware
PC security researchers advise computer users to establish backup copies of their files either on the cloud or external places. This is the best protection against the Cypher Ransomware and threats that use a similar strategy. It is also necessary o have a security program that is fully up-to-date to prevent these infections from taking hold on a computer and take precautions when handling unsolicited email messages and attachments.
