Datah Ransomware

Information security experts have recently uncovered a concerning new ransomware threat known as the Datah Ransomware. This injurious software encrypts a broad spectrum of file types on the compromised system, rendering them inaccessible to the victim. In addition to encrypting files, Datah leaves behind a ransom note titled '+README-WARNING+.txt,' which includes contact information and further instructions for the victim.

Moreover, Datah goes a step further by renaming the encrypted files. It achieves this by appending specific identifiers to the filenames, including the victim's unique ID, the email address 'datahelper@onionmail.org', and the '.datah' extension. For example, a file originally named '1.doc' would be transformed into '1.doc.[2AF30FA3].[datahelper@onionmail.org].datah,' while '2.pdf' would become '2.pdf.[2AF30FA3].[datahelper@onionmail.org].datah,' and so forth. It's worth noting that Datah is classified as a variant belonging to the Makop Ransomware family.

Victims of the Datah Ransomware Have Their Data Taken Hostage

The ransom note accompanying the Datah Ransomware delivers a clear message to victims: their files have been encrypted, but the underlying file structure remains intact. The note emphasizes that the only path to recovery is through payment to the cybercriminals responsible for the encryption. To instill a sense of trust, the threat actors offer a test decryption of two simple files of limited size, showcasing their ability to decrypt files upon receiving payment.

Contact details are provided through an email address (datahelper@onionmail.org) and a TOX ID, allowing victims to initiate communication with the perpetrators. However, the note concludes with a stark warning against attempting to alter the encrypted files independently. Such actions could result in the loss of data and the private key necessary for decryption, potentially leading to irreversible consequences for the victim.

It's crucial for victims not to succumb to ransom demands, as there's no guarantee that the cybercriminals will fulfill their promise of providing decryption tools after receiving payment. Additionally, swift removal of the ransomware from infected computers is essential. Doing so not only reduces the risk of further encryption but also helps prevent the potential spread of the ransomware to other computers within the same network, mitigating the overall impact of the attack.

Crucial Defensive Measures to Implement on All Devices

Implementing crucial defensive measures on all devices is essential to protect data from ransomware threats. Here are key steps users should take:

• Regular Software Updates: Ensure operating systems, applications and security software are regularly updated. Updates often include patches that fix vulnerabilities exploited by ransomware.
•  Install Anti-Malware Software: Use reputable security software with real-time protection against ransomware and other threats. Enable automatic updates and regular scans.
•  Strong Passwords and Multi-Factor Authentication (MFA): Utilize complex passwords and enable MFA wherever possible to add an extra layer of security. Avoid utilizing the same password for multiple accounts.
•  Backup Data Regularly: Set up regular backups of essential files and store them securely offline or in the cloud. Automated, encrypted backups ensure data integrity and facilitate restoration in case of a ransomware attack.
•  Educate Users: Train users on recognizing phishing emails, suspicious links, and fraudulent attachments. Encourage skepticism toward unexpected emails or requests for sensitive information.
•  Limit User Privileges: Adopt the principle of least privilege, restricting user access to only what is necessary for their job role. This limits the impact of ransomware by reducing its ability to spread across the network.
•  Enable Firewall Protection: Activate and regularly update firewalls on devices and networks to filter incoming and outgoing traffic, blocking potentially harmful connections.

By diligently implementing these defensive measures, users can reduce the chances of being victims of ransomware attacks and safeguard their valuable data.

The full text of the ransom note accompanying the Datah Ransomware reads:

'::: Greetings :::

Little FAQ:

.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen.

.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us.

.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc… not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: datahelper@onionmail.org
Or you can contact us via TOX: B99CB0C13B44E2A1AEBAEB28E70371D6E3DB35DA801721930B53B0E787433270665DA610BAB0
You can download TOX: hxxps://qtox.github.io/

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.

:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.'