DC Ransomware
Infosec researchers have identified a new malware threat named DC Ransomware that is lurking in the wild. Analysis of the threat's underlying code revealed that the malware is a variant based on the Dharma Ransomware family. Although, this means that the DC Ransomware lacks any significant modifications or improvements over the other variants, it in no way diminishes the threat's capacity to cause destruction.
Indeed, if the DC Ransomware manages to infiltrate users' computers, it will initiate an encryption process utilizing an uncrackable cryptographic code to lock the files stored there. Nearly all of the most common filetypes will be affected - documents, PDFs, audio, video, archives, databases, photos, etc. As a result of DC Ransomware's intrusive actions, users will lose the ability to even open the affected files.
Following the typical Dharma behavior, the DC Ransomware also marks the files it encrypts. It does so by modifying their original names. First, an ID string assigned to the specific victim will be added to the file's name. Then the threat will append an email address controlled by the attackers (dc1@imap.cc). Finally, '.DC' will be placed as a new file extension. The DC Ransomware drops two ransom notes on the breached systems. One will be carried by a text file named 'FILES ENCRYPTED.txt,' while the other will be displayed in a new pop-up window.
DC Ransomware's Demands
The message delivered via the text file is extremely brief and lacks any important details. It simply states that victims of the threat should contact the attackers by messaging the two provided email addresses - 'dc1@imap.cc' or 'dc2@imap.cc.' The proper ransom note will be shown in the pop-up window. It clarifies that the second email should only be used if users do not receive an answer within 24 hours after contacting the first email.
The pop-up window also specifies that the ransom demanded by the hackers will have to be paid using Bitcoin, arguably the most popular cryptocurrency. Apparently, the price of the ransom will depend on how quickly users establish contact with cybercriminals.
According to the note, victims also will have the chance to send one file to be decrypted for free. However, the chosen file must not contain any important information and should not exceed 1MB in size. The final section of the ransom-demanding message consists of various warnings.
The full text of instructions delivered in the pop-up window is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail dc1@imap.cc
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:dc2@imap.cc
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.The text file generated by DC Ransomware contains the following message:
all your data has been locked us
You want to return?
Write email dc1@imap.cc or dc2@imap.cc.'
