El Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 4 |
First Seen: | November 5, 2018 |
Last Seen: | March 6, 2020 |
OS(es) Affected: | Windows |
The El Ransomware is an encryption ransomware Trojan, which criminals use to take the victims' files hostage to demand a ransom payment. The El Ransomware was first reported on October 27, 2018. The El Ransomware is being distributed through the use of corrupted spam email attachments.
How the El Ransomware Attacks a Computer
The victims of the El Ransomware will typically receive a spam email message with an attached file. This file attachment will often be a PDF or DOCX file with an embedded macro script that downloads and installs the El Ransomware onto the victim's computer. Once installed, the El Ransomware uses the AES 256 encryption to make the victim's files inaccessible. Unfortunately, once the victim's files are encrypted, they may not be decrypted without the decryption key (which the criminals hold in their possession). Attacks like the El Ransomware typically target the user-generated files, which may include a wide variety of file types, including files with the following file extensions:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
It is elementary to recognize the files encrypted by the El Ransomware because the El Ransomware will add the file extension '.WAND' to each affected file's name. The El Ransomware delivers its ransom note in the form of a text file named 'About .WAND unlocking instructions.txt,' which is dropped on the infected computer's desktop. The affected PC's desktop also will have its wallpaper image changed into the logo of Anonymous. The victim of the attack will receive the following ransom message, delivered by the El Ransomware:
'Many files from the downloads and Documents have been encrypted, follow the instructions if you want to recover them.
-send an e-mail to: gktlc5a@protonmail.com and hackcwand@protonmail.com
-Deposit the money in the account provided in our e-mail response.
-input the password you recieve after payment has been made.'
The Wand and El ransomware iterations of this malware drops the following ransom note as part of its
operating procedure:
================================
Hello, friend, Please read the following
Your file has Been a locked modify the extension name.
***
Please E-Mail me, unlock the cost USD 100.00.
***
Email: hackcwandgproton@mail.com
================================
There is also a lockscreen that blocks access to the desktop with the following text:
'Tus archivos han sido encriptados
Muchos archivos con scienes fueron cipados del directorio Descargas y Documentos sigue las
instrucciones si deseas recuperarlos
– COMUNICATE AL CORREO GKTLC5A@PROTONMAIL.COM
– DEPOSITA EL DIÑERO EN LA CUENTA PROPORCIONADA DESDE EL CORREO.
– INGRESA LA CONTRASEÑA RECIBIDA LUEGO DE PAGO.
– TIENES 24 HORAS PARA REALIZAR TODO LO ANTERIOR.'
The text translates as the following:
'Your files were encrypted Many of the files with extensions were encrypted from the "Downloads" and
“Documents” directory, follow the instructions if you want to recover them. – COMMUNICATE BY EMAIL
GKTLC5A@PROTONMAIL.COM
– DEPOSIT OF MONEY TO ACCOUNT SPECIFIED IN MAIL.
– ENTER THE PASSWORD RECEIVED AFTER PAYMENT.
– YOU HAVE 24 HOURS TO MAKE ALL THE LISTED.'
Dealing with the El Ransomware Infection
The ransom associated with the El Ransomware is 100 USD on average, typically paid via Bitcoin. However, it is not recommended to pay this ransom since it allows the criminals to continue creating and distributing threats like the El Ransomware. Furthermore, it is very unlikely that the criminals responsible for the El Ransomware will be willing to help the victims of the attack recover their data after the attack. The best protection against the El Ransomware and similar threats is to have backup copies of your data, stored either on the cloud or an external memory device. Apart from file backups, a security program also is recommended to prevent the El Ransomware from being installed in the first place.