ELDAOSLA Ransomware

The ELDAOSLA Ransomware is a new potent malware threat that has been determined to be a variant coming from the Phobos Ransomware family. As such, the threat follows the typical behavior of the family mainly. The ELDAOSLA Ransomware infiltrates computers, attempts to encrypt the files stored on them, and then demands payment of a fee in exchange for the decryption tool that could potentially restore that data.

Every file that has been encrypted by the ELDAOSLA Ransomware will have its name change drastically. The threat appends to the original filenames, a string of characters representing the unique ID assigned to the specific victim, followed by an ICQ account belonging to the hackers, and finally '.ELDAOSLA' as a new extension. The customary ransom note with instructions from the hackers is delivered in two separate forms. The main note is displayed in a pop-up window created from an 'info.hta' file while the second note is placed inside text files named 'info.txt.'

The text from the files and the pop-up window differs a bit, but the main points are the same. Victims of ELDAOSLA are told to contact the ICQ account KONSKAPISA (the same one used for the names of the encrypted files) to receive further instructions as neither of the notes dropped by the ransomware mention the exact sum needed to be paid or if any of the popular cryptocurrencies have to be used. The criminals allow up to five files that do not exceed a total size of 4MB to be sent for free decryption.

The instructions presented in the pop-up window are:

'ATTENTION!!!!

Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted with ciphers more advanced than those used for diplomatic communications, you can spend days and months searching for a magical way to decrypt your files, but rest assured we are the only people who can help you recover your files, there is no free tool

If you want to restore them, install ICQ software on your PC hxxps://icq.com/windows/ or on your mobile phone search in Appstore / Google market "ICQ"

Write to our ICQ @KONSKAPISA hxxps://icq.im/KONSKAPISA

Write this ID in the title of your message -

Free decryption as guarantee

Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The note delivered in the text files is:

'If you are the IT manager and you are reading this, that means that you messed up, you were asleep at the wheel. Contact us and we can resolve this situation without major complication, if you are the owner of the company and you are reading this than the decision is yours, throw your hard drives in the trash or contact us and pay a nominal fee to recover your data, but know that your security practices have failed you and either way something needs to be done

If you want to restore them, install ICQ software on your PC hxxps://icq.com/windows/ or on your mobile phone search in Appstore / Google market "ICQ"

Write to our ICQ @KONSKAPISA hxxps://icq.im/KONSKAPISA

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.'