Elantra Ransomware
The Elantra Ransomware is a threatening new malware that has been detected in the wild. Although the infosec community classifies the threat as being yet another variant from the already established Matrix Ransomware family, that doesn't diminish its destructive capabilities. Elantra will damage any computer it manages to infect severely. The Elantra Ransomware does so by initiating an encryption routine that employs a combination of strong cryptographic algorithms. All files affected by the threat will be rendered inaccessible and unusable.
Elantra will change the names of the files it encrypts completely by substituting the original name with a random string of characters followed by an email address under the control of the hackers - 'elantra@galeiim.com.' Upon completion of the encryption process, the threat will proceed to deliver its ransom note containing instructions to the victims. The full set of instructions will be placed inside files named '#How_To_Decrypt_Files#.rtf,' while a shorter message will be displayed in an image set as a new desktop background.
Elantra Ransomware's victims are told that they will have to pay a ransom in Bitcoin if they want to receive the necessary key and decryption tool from the cybercriminals. The exact amount is not mentioned, but the ransom note states that the size of the ransom will depend on the time it takes victims to initiate contact. To further push affected users into meeting their demands, the hackers threaten that after 72 hours, the decryption key will be deleted from their servers, and all locked data will become unsalvageable.
Apart from the email found in the encrypted files' names, the ransom note also provides a reserve address at 'payfile@airmail.cc.' Victims are allowed to attach up to three files that do not exceed a total size of 10MB that will be decrypted for free.
The message from the wallpaper image used by the Elantra Ransomware is:
'All your personal files were encrypted with RSA-2048 crypto algorithm!
Without your personal key and special software data recovery is impossible!
If you want to restore your files, please write us to the e-mails:
elantra@galeiim.com OR payfile@airmail.cc
* Additional info you can find in files: #How_To_Decrypt_Files#.rtf'
The full set of instructions delivered through the '#How_To_Decrypt_Files#.rtf' files is:
'WHAT HAPPENED WITH YOUR FILES?
Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxp://en.wikipedia.org/wiki/RSA_(cryptosystem)
hxxp://en.wikipedia.org/wiki/Advanced_Encryption_StandardNo data from your computer has been stolen or deleted, but it is impossible to restore files without our help. For decrypyion of your files you need two things: first is your private RSA keys and second is our special software - decryption tool.
Sure, you can try to restore your files yourself, but the most part of the third-party software changes data within the encrypted file and causes damage to the files and as result, after using third-party software - it will be impossible to decrypt your files even with our software.
If you want to restore your files, you have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
Contact us using this e-mail address: elantra@galeiim.com
In subjеct linе оf the mеssаgе writе yоur pеrsоnаl ID: -
This e-mail will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.
ATTENTION!!! After 72 hours your unique RSA private key will be automatically deleted from our servers permanently in interest оf оur security, and future decryption of your data will become impossible.
If you don't believe in our service and you want to see a proof, you can ask for a test decryption.
About the test decryption: You can send us up to 3 encrypted files. The total size of the files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). We will decrypt and send you decrypted files back.
In a case of no answer in 24 hours, usе thе rеsеrvе е-mаil аddrеss: payfile@airmail.cc
ATTENTION!!!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* It doesn't make sense to complain of us and to arrange a hysterics.
* Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.
* Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.'
