Datax Ransomware

Infosec researchers have detected a new ransomware threat out in the wild. Named Datax Ransomware, the threat has been classified as a variant of the previously observed ZEPPELIN Ransomware. Despite lacking any meaningful improvements, the capacity of Datax to cause damage to the infected systems shouldn't be underestimated.

When deployed on the victim's machine successfully, Datax will initiate an encryption routine that will lock nearly all of the file types stored there. Each locked file will have its original name changed. The threat appends '.@datax' followed by a specific ID assigned to each victim. When the encryption has been completed, a ransom note will be dropped on the system. The ransom-demanding message of the threat is contained inside a .hta file named '!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta.'

Datax' Demands

According to the note, the cybercriminals responsible for unleashing Datax also have been able to extract valuable data from the infected systems. Now, they threaten to sell that information to any interested third parties, if their victims do not initiate contact in the 72 hours following the ransomware attack. The only way to reach the attackers is via the provided ICQ account. The note also contains various warnings such as not renaming the encrypted files because doing so could lead to irreversible damage.

The full text of the note is:

'Hello my dear friend

Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted
If you want to restore them install ICQ software on your PC here hxxps://icq.com/windows/ or on smartphone from Appstore / Google Play Market search for "ICQ"
Write to our ICQ @datax hxxps://icq.im/datax/
Tell us your file ID -

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software - it may cause permanent data loss.
We are always ready to cooperate and find the best way to solve your problem.
The faster you write - the more favorable conditions will be for you.
Our company values its reputation. We give all guarantees of your files decryption.
IF WE DON'T SEE MESSAGES FROM YOU IN 72 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS AND OTHER HACKERS IN THE DARKNET.'