Desu Ransomware

Desu Ransomware is another low-tier crypto-malware to come out in late July 2018. The Desu Ransomware is suspected to be based on Aurora Ransomware, but more research is needed. Samples of the Desu Ransomware suggest it is distributed via corrupted Microsoft Word files. It is not outside of reason that the threat actors would use logos of trusted Internet companies and push messages under the guise of legitimate government agencies. The cyber threat may be dropped to the Temp folder on the primary system drive and run as 'memka.exe' (MD5:54b5234ec4b3682648cf528039bec59f). The program is known to apply a custom AES-256 cipher to targeted images, audio, video, text, Ebooks, PDFs, and databases. Enciphered data carries the '.desu' extension and sports the default file icons as the original versions of your files. We should note that the malware deletes the original files on your system and writes the encrypted versions. For example, 'Sabaton-Ruina Imperii.mp3' is renamed to 'Sabaton-Ruina Imperii.mp3.desu' and the volume snapshot copy of the file is deleted too. The ransom note is loaded as '@_DECRYPT_@.txt' in Notepad and reads:

'==#desu ransomware#==
SORRY! Your files are encrypted.
File contents are encrypted with random key.
We STRONGLY RECOMMEND you NOT to use any "decryption tools".
These tools can damage your data, making recover IMPOSSIBLE.
Also we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get private key.
In order to get private key, write here: jOra@protonmail.com !!
And send me your id: [random characters]
And pay 200$ on lARDXRDsvnsYiM5jazFagtCrAzSFC1Qmy wallet
If someone else offers you files restoring, ask him for test decryption.
Only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
==#desu ransomware#=='

The Desu Ransomware Trojan is reported to overwrite the MBR record on Windows and force infected systems to restart. As a result booting into Windows is interrupted by a message that says:

'Oops! Your files have been encrypted.
Your files are no longer accessible.
You might have been looking for any way to recover your files.
Don't waste your time, you can't recover all your files safely. But
you need to pay and get the decryption password.
Email support: j0ra@pronmail.com
Your ID:
[random characters]
Key: [space for user input]'

We advise against making contact with the malware operators via the 'j0ra@protonmail[.]com' email account. The threat actors are likely to direct users pay a hefty "decryption" fee using Bitcoin. That way, the digital coins can be transferred through several accounts before they are converted into standard currencies. Tracking Bitcoin transactions is very difficult, and law enforcement authorities are not always successful at catching Ransomware operators. It is best to avoid the services offered via 'j0ra@protonmail[.]com' and use backup images instead. PC users can eliminate the Desu Ransomware Trojan by running a respected anti-malware solution on their system. Cloud services may help you protect valuable data and recover faster from attacks with Desu Ransomware. Detection names by AVs that recognize the Desu Ransomware include:

BehavesLike.Win32.Generic.dh
ML.Attribute.HighConfidence
Ransom_Genasom.R011C0DGH18
TR/FileCoder.zxehh
Trojan ( 00516bfc1 )
Trojan.FileCoder (A)
Trojan.GenericKD.31098949
Trojan.Siggen7.55992
Trojan.Win32.FileCoder.ffpibu
W32/Trojan.BDCL-1372

SpyHunter Detects & Remove Desu Ransomware