Devil Ransomware

The Devil Ransomware is the newest addition to the Dharma Ransomware family. Throughout 2019, the Dharma Ransomware was the second most active ransomware family worldwide. Creating ransomware threats from scratch can be rather difficult for an inexperienced cybercriminal, so many opt to use the code of already existing and well-established threats like the Dharma Ransomware.

Propagation and Encryption

It is not clear what propagation method is being used in the spreading of the Devil Ransomware. Many cyber crooks who distribute data-locking Trojans opt to use mass spam email campaigns. The targeted user would receive an email that urges them to execute the attached file. Often, the attachment would be in the shape of a document or other seemingly harmless file. Once the Devil Ransomware successfully infiltrates the user’s computer, it will begin scanning their data. This file-encrypting Trojan is likely programmed to go after documents, images, videos, presentations, databases, spreadsheets, and similar files that are likely to be found on any regular user’s system will be locked to ensure maximum damage. In order to lock the targeted files, the Devil Ransomware would apply an encryption algorithm. When the Devil Ransomware encrypts a file, it will also make sure to alter its extension by adding ‘.id-.[decrypt4data@protonmail.com].devil.' As you can see from the extension name, there is a unique victim ID generated for each affected user.

The Ransom Note

The next step of the attack is the dropping of the ransom note. The ransom message of the Devil Ransomware can be found in files named ‘info.txt’ and ‘info.hta,’ which will be dropped on the victim’s desktop. In the note, the attackers fail to specify a ransom fee that would be required in exchange for the decryption key the user would need to recover the affected data. However, most authors of ransomware demand at least a couple of hundred dollars as a ransom fee.

For users who want to contact the creators of the Devil Ransomware, the attackers have provided an email address – ‘decrypt4data@protonmail.com.’ We would advise you strongly to avoid contacting the authors of the Devil Ransomware. Even victims who end up paying the ransom fee required, more often than not, end up empty-handed as the attackers ride into the sunset with their cash. This is why it is worth investing in a reputable anti-malware application that will help you remove the Devil Ransomware from your computer and closely monitor your online safety in the future, so you do not end up in the same difficult situation ever again.