Ebaka Ransomware

Security researchers have identified Ebaka as a ransomware threat, designed with the explicit purpose of encrypting files on compromised devices and subsequently demanding ransom payments for their decryption. Once the Ebaka malware is activated, it initiates a file-locking process through encryption, altering filenames in the process. The original names are extended with a unique victim ID, the email address of the cybercriminals, and a '.ebaka' extension. For example, a file initially named '1.png' will undergo encryption and emerge as '1.png.id[1E858D00-3423].[datadownloader@proton.me].ebaka.'

Following the completion of the encryption process, Ebaka generates ransom notes that are deposited onto the desktop and within all directories containing locked data. One of the ransom notes is presented in a pop-up window ('info.hta'), while another takes the form of a text file ('info.txt'). Notably, research analysis has linked the Ebaka Ransomware to the well-known Phobos Ransomware family.

The Ebaka Ransomware could Cause Tremendous Damage Upon Successful Infection

Threatening programs affiliated with the Phobos Ransomware family, such as the Ebaka Ransomware, exhibit advanced encryption capabilities, encrypting both local and network-shared files. These programs take a sophisticated approach by terminating processes associated with opened files to prevent them from being deemed "in use" and subsequently exempted from the encryption process. This meticulous strategy ensures a more comprehensive impact on targeted data.

It's noteworthy that thEbaka Ransomware operations refrain from compromising critical system files, minimizing the risk of system instability. Additionally, a deliberate effort is made to avoid double encryption, sparing data already affected by other ransomware variants. This process adheres to a predefined list, although it does not encompass all existing data-encrypting programs.

In an attempt to hinder recovery, Ebaka Ransomware deletes Shadow Volume Copies, eliminating one potential method of restoring encrypted files. The malware employs various persistence-ensuring techniques, including self-replication to the %LOCALAPPDATA% path and registration with specific Run keys, ensuring automatic initiation following system reboots.

Moreover, Ebaka attacks may exhibit geo-locking characteristics. These programs gather geolocation data and may discontinue infection based on factors such as economic conditions in certain regions (potentially home to victims unable to pay ransoms), geopolitical considerations, or other criteria.

Drawing from extensive experience in researching ransomware infections, it becomes evident that decryption without the direct involvement of attackers is a rare occurrence. Exceptions are limited to instances involving seriously flawed ransomware-type programs, emphasizing the overall challenges and complexity associated with recovering data from such sophisticated cyber threats.

The Ebaka Ransomware Extorts Victims for Money

The content of Ebaka's ransom note, presented in a text file, explicitly communicates to the victims that their files have been encrypted. The message strongly encourages victims to initiate contact with the attackers to facilitate the decryption process. Additionally, the ransom note displayed in a pop-up window provides further details about the infection, specifying that decryption is contingent upon the payment of a ransom in Bitcoin cryptocurrency. Notably, the ransom amount is purportedly influenced by how promptly the victim establishes communication with the cybercriminals.

Interestingly, before complying with the ransom demands, victims are allegedly provided with the option to test the decryption process. They can submit up to five encrypted files for testing, subject to certain limitations. This peculiar provision seems to offer a glimpse of the decryption process, possibly as a tactic to instill a sense of trust or urgency in the victim.

The cybercriminals warn victims against any attempt to modify the locked files or use third-party decryption tools, emphasizing the risk of permanent data loss. Additionally, victims are alerted to the potential financial consequences of seeking assistance from third parties, suggesting that such actions may increase the overall financial loss incurred during the resolution process. This detailed set of instructions and warnings underscores the calculated nature of the ransom demand. It aims to guide victims through the process while dissuading them from taking any actions that might compromise the potential for successful decryption.

Victims of the Ebaka Ransomware are presented with the following ransom demands:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail datadownloader@proton.me
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:datadownloader@tutanota.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The text files generated by Ebaka Ransomware contain the following message:

!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: datadownloader@proton.me.
If we don't answer in 24h., send e-mail to this address: datadownloader@tutanota.com'