Deadfiles Ransomware
The Deadfiles Ransomware is a newly discovered crypto locker malware that, according to the security experts who analyzed its code is part of the MedusaLocker Ransomware family. The Deadfiles Ransomware operates as a typical ransomware threat. After infiltration, it encrypts the locally stored files using secure AES + RSA encryptions and demands ransom payment for their restoration. All encrypted files will have their original names changed to include ".deadfiles" as a new extension. In every folder containing encrypted files, the Deadfiles Ransomware drops a file named "Recovery_Instructions.html" containing the text of the ransom note.
Victims of the Deadfiles Ransomware are instructed to use the TOR browser to open a URL link provided in the ransom note as a means of communication with hackers. Only if the URL doesn't work, they should send a message via the provided email addresses - "dec_helper@dremno.com" and "dec_helper@excic.com". To demonstrate the ability to unlock the user's data, three files can be sent for free decryption.
The Deadfiles Ransomware Ransom Note
The ransom note explains the situation to victims, telling them what has happened and what they can do about it. The following is a screenshot of the message, which is placed on the desktop and in all folders with infected files;
Text presented in Deadfiles' ransom note ("Recovery_Instructions.html"):
YOUR PERSONAL ID:
-
/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED!YOUR FILES ARE SAFE! JUST MODIFIED ONLY. (RSA+AES)
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMENANTLY DESTROY YOUR FILE.
DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES.NO SOFTWARE AVAILABLE ON INTERNET CAN HELP YOU. WE ONLY HAVE
SOLUTION TO YOUR PROBLEM.WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA
ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE
IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY
AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO
NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.YOU WILL CAN SEND US 2-3 NON-IMPORTANT FILES AND WE WILL
DECRYPT IT FOR FREE TO PROVE WE ARE ABLE TO GIVE YOUR FILES
BACK.Contact us for price and get decryption software.
hxxp://gvlay6u4g53rxdi5.onion/21-AEq6wCPd46l6IOoStWGhsNP0Ge7KQdlT-sCA310qjjPIJR7GKwL7V2qKLClmeeVxX
* Note that this server is available via Tor browser onlyFollow the instructions to open the link:
1. Type the addres "hxxps://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
3. Now you have Tor browser. In the Tor Browser open "{{URL}}".
4. Start a chat and follow the further instructions.If you can't use the above link, use the email:
dec_helper@dremno.com
dec_helper@excic.com
MAKE CONTACT AS SOON AS POSSIBLE. YOUR DECRYPTION KEY IS ONLY STORED
TEMPORARLY. IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.
As you can see, the ransom note states that the company network has been compromised. Files stored on the network are encrypted using AES and RSA cryptographic algorithms, which are nearly impossible to break without outside support. Users are told that attempting to decrypt data with the help of third-party tools or attempting to modify the files in any other way will cause permanent data loss.
The note on the computer also warns that all sensitive and personal content has been taken from the computer. The threat actors say they will publicize the stolen data or sell it to competitors to gain a profit if the ransom is not paid. Victims have the chance to test the decryption for themselves by sending a non-important file to the cybercriminals. This is done to create a false sense of security with victims.
Victims can get more information by contacting the attackers at the address provided in the note, which is accessed through Tor. Victims can also contact the attackers through email if they choose. Either way, the note says that they have 72 hours to establish contact with the hackers. The ransom will double if communication isn’t established within this time-frame. The hackers don’t keep the decryption keys permanently, meaning that it becomes impossible to recover encrypted data after a set period of time.
The website listed in the note has a chat window where victims can talk to attackers. Each victim is assigned a personal ID number, so the attackers know who they are talking to. The website doesn't specify the size of the ransom, as victims are only told how much they need to pay once they establish communication.
Unfortunately, decryption is often impossible without help from the cybercriminals. It could be possible if the malware is flawed or still being developed. Either way, experts recommend against dealing with criminals and paying the ransom demand. More often than not, users don’t receive the decryption tools they are promised after making the payment. The files remain encrypted, and the victim is out of money as well as data.
It is recommended that you take steps to remove the ransomware from your computer to prevent further infection. Removing the virus won’t restore affected data, however. The only safe and effective way to do that is to use a data backup.
How Does Ransomware Infect Computers?
Ransomware like this can spread through several methods. Spam emails are the most popular, but it isn’t the only way. The thing to know is that all means to spread ransomware are particularly stealthy and designed to make people fall for their tricks. Here are the most common ways malware is spread;
- Spam email attachments
Spam email attachments are the most common method. Criminals create malspam campaigns and spread spam emails using bots. The criminals send out tens of thousands of emails in the hope that even a fraction of them will be accessed. The messages are created to look authentic and appear to be from a reliable source. They may pretend to be from government organizations or delivery companies, for example. Either way, the email contains an email attachment or a link for readers to click. Interacting with the link or attachment downloads the payload for the virus on computers.
- Cracks and Keygens
Pirated software is typically bundled with a "crack" or "keygen" to make it work. These cracks are commonly bundled with malicious software that executes when people attempt to access them. This is just one reason to not download illegal software, outside of the fact that it is – of course – illegal.
- Phishing websites
Phishing websites are hacked websites criminals use to spread malware. Just visiting one of these websites can be enough to cause trouble. People are redirected to these websites through suspicious links.
The criminals resort to scare tactics in an attempt to coerce their victims into paying the asked amount. They threaten that apart from encrypting the files, some unspecified, confidential and private information has been exfiltrated and uploaded on a private server and will be sold to the public if they do not receive any money. Further warnings mention that the decryption key is going to be stored temporarily, which implies that it can be deleted, rendering the locked files undecryptable by anyone. Also, if 72 hours pass without contacting the hackers, the ransom will be increased.
The most important thing when dealing with a ransomware attack is to remain calm. You shouldn't fall for criminals' tactics, and you shouldn't send them any amount of money. Instead, look if there is a backup created before the ransomware infection is available and restore your data from it, but only after cleaning the Deadfiles Ransomware with a reputable anti-malware program.
