DeathNote Ransomware

At the beginning of January 2018, a new threat was spotted by malware researchers. It goes by the name DeathNote and appears to be a low-end ransomware threat. Unlike most ransomware threats, the DeathNote Ransomware doesn't use an encryption algorithm to lock the victim's files. Instead, the DeathNote Ransomware applies a much simpler measure – a password protected archive. The DeathNote Ransomware executes a script that attempts to lock the files on local disks A to Z, therefore ensuring that the victims will lose all data on their hard drive. When this is done, the DeathNote Ransomware names the password protected archives accordingly - "Death_N0te_encrypted_files_of_local_disk_A", "Death_N0te_encrypted_files_of_local_disk_H", etc.

The file types used by DeathNote Ransomware to carry out its attack are '.vbs' (informs the victims that their files are locked) and '.bat' (locks the files). In a specific case, a file named 'Deathnote.bat' would handle the placing of files in password-protected archives, and when that's done a file called 'note.vbs' would take upon notifying the user what's happened via an alert window. The text in this window says - 'Death NOte gives you a chance. Death NOte will restart and if you exit again... you are gone. Death note HAD A MERCY ON YOU.'

Interestingly enough, what in this case would constitute the ransom note also is executed by the 'Deathnote.bat' file. It appears in the shape of a command prompt window. There, the victim would see the Deathnote Ransomware's authors' instructions on how to obtain the password for the archives. They have provided the user with an email address – cocbkup@gmail.com, and a link to a website – hxxp://heatler.uphero.com. However, the link appears to be no longer functional.

It's important to note that not only do the creators of the DeathNote Ransomware use a simple password-protected archive instead of a complex and much more secure encryption algorithm, but they also have generated only one password that would unlock the files of any victim - 'pkantnibas722.' Basically, a 'one size fits all' situation. To spice things up, the authors of the DeathNote Ransomware add a dash of social engineering too. Even though they don't mention the amount demanded, the note urges the victims to pay up immediately, or the ransom fee will double. This is a bold move for someone, whose creation is so weak and poorly coded.

Remember that you should never agree to pay money to cybercrooks and, instead, should look into an alternative solution. In the case of the DeathNote Ransomware, you should start the recovery process by using the aforementioned password to unlock the archives and get your files back. Once you accomplish this, you must not forget to run an up-to-date anti-malware tool that will ensure the full removal of all files linked to the attack.

SpyHunter Detects & Remove DeathNote Ransomware