ELBOW Ransomware
Analysis carried out by infosec experts has revealed that the ELBOW Ransomware is a variant of the PHOBOS malware family. The threat can be deployed in attacks against individual users or corporate targets. Thanks to its destructive capabilities, each compromised computer can be locked effectively. Like most malware of this type, the ELBOW Ransomware targets numerous file types and encrypts them with a strong cryptographic algorithm. Victims will be left unable to access any of the affected documents, PDFs, databases, archives and more.
Whenever the ELBOW Ransomware encrypts a file, it also will mark it by making several changes to that file's original name. First, a character string acting as the ID for the specific victim will be appended. The 'UNKNOWNTEAM@criptext.com' email will be added next, followed by '.ELBOW' as a new file extension.
To make sure that users receive its ransom-demanding messages, the ELBOW Ransomware delivers two different notes to the breached device. The threat will create a text file named 'info.txt' to contain the shorter of the notes while the proper set of instructions will be displayed in a pop-up window.
ELBOW Ransomware's Demands
Both notes reiterate that users should first try to establish contact with the cybercriminals via the 'UNKNOWNTEAM@criptext.com.' However, if 24 hours pass without receiving an answer, victims are supposed to try the backup email at 'ELBOWTALK@my.com.' Apparently the sooner that users send a message, the better the conditions of the ransom will be.
The cybercriminals also state that they are willing to demonstrate their ability to restore the encrypted data. They offer to unlock up to 5 files for free. However, the chosen files must not exceed a total non-archived size of 4MB.
The message shown in ELBOW's pop-up window is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail UNKNOWNTEAM@criptext.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:ELBOWTALK@my.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.The note found inside the text file is:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: UNKNOWNTEAM@criptext.com.
If we don't answer in 24h., send e-mail to this address: ELBOWTALK@my.com.'
