Eur Ransomware
After analyzing the Eur Ransomware's code and behavior, infosec experts determined that it can be classified as part of the prolific Dharma family of ransomware threats. The Eur Ransomware follows the typical Dharma Ransomware pattern for the encrypted files' names - [Original Name].[Victim's ID].[email address].[extension]. In the Eur Ransomware case, the email placed in the file names is 'decrypt@europe.com,' while the extension is '.eur.' The cybercriminals behind the Eur Ransomware leave two ransom notes on the infected computer. One is dropped in every folder containing encrypted files, as a text file named 'FILES ENCRYPTED.txt,' while the other message is displayed in a pop-up window.
The text file contains very little details, mainly the email addresses that victims can use to contact the hackers - decrypt@europe.com or reservereserv@airmail.com. The pop-up window isn't that informative, either. It specifies that the second email should only be used if the victims receive no response 12 hours after messaging the primary email address.
The consensus among cybersecurity experts is that the victims should not send any amount of money to the hackers in case of a ransomware attack, as that will only serve to fund their criminal activities further.
The contents of the text file dropped by the Eur Ransomware are:
'all your data has been locked us
You want to return?
write email decrypt@europe.com or reservereserv@airmail.com
The text of the pop-up window is:
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email decrypt@europe.com YOUR ID -
If you have not been answered via the link within 12 hours, write to us by e-mail:reservereserv@airmail.com
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
