Exorcist 2.0 Ransomware
A new and improved version of the potent Exorcist Ransomware threat has been detected in the wild by infosec experts. Called the Exorcist 2.0 Ransomware, it displays some departures from the original malware's behavior, but, for the most part, has remained the same with little deviation.
Once inside the targeted computer, the Exorcist 2.0 Ransomware initiates its encryption process and proceed to block users from accessing their personal or business files. Nearly all of the most used filetypes are affected - audio and video files, databases, spreadsheets, documents, etc. The Exorcist 2.0 Ransomware, like its predecessor, the Exorcist Ransomware, appends a random string of characters, specific to the current victim to every encrypted file. The same string also is used in the name of the file containing the ransom note dropped by the threat. Unlike the original Exorcist, the new variant doesn't bother to change the compromised system's default background image, and, instead, just creates a '.hta' file with the ransom instruction in every folder containing locked data.
The note's main message is that victims of the Exorcist 2.0 Ransomware will have to visit a website created by the hackers that can be opened only through the Tor browser. There, the affected users are presented with more detailed instructions. Apparently, the hackers behind this variant are far less greedy, as they demand 'only' the sum of $300 for the restoration of the encrypted files, compared to the $5000 of the original threat. The money is supposed to be paid in Bitcoin and sent to a cryptocurrency wallet address provided by the criminals. However, after a certain period has passed without any payment, the sum of $300 will be increased by an undisclosed amount. Eventually, the hackers threaten to simply delete the decryption keys, which will render the victim's data to become unsalvageable.
The full text of the note presented by Exorcist 2.0 Ransomware is:
'- Decrypt
All your data has been encrypted with Exorcist 2.0 Ransomware.
Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.
If you don't pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed.
To do this, install Tor Browser (here: hxxps://www.torproject.org/download/) and follow instructions on this web site: hxxp://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/
IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!'
The entire set of instructions found on the Tor website is:
'Exorcist Ransomware
Order
If the payment isn't made until - , decryptor price will be increased null times
What's the matter?
All your files have been encrypted with Exorcist Ransomware.
The only way to decrypt them back is to buy Exorcist Decryption Tool.
The price is 300$
You set path to the encrypted file or folder, it will check all encrypted files and decrypt them.
We accept Bitcoin (BTC) cryptocurrency.
To be sure we have the decryptor and it works you can use Free Decrypt and decrypt only one file for free. But the only file you can decrypt is image (PNG, JPG, BMP), maximum size 3 MB, because they are usually not valuable.
Instruction:
You need to create a crypto wallet. You can read more about crypto wallets here: hxxps://bit.ly/379vYBt
Learn how to buy cryptocurrency (Bitcoin). Some links where you can find information here:
Bitcoin: hxxps://bit.ly/38nohHM
Copy the wallet number from the address field (depending on what you have chosen) and transfer the necessary amount of cryptocurrency to it. You can read more about translations here: hxxps://bit.ly/36br2dK
After paying the ransom, your files will be decrypted and you will be able to continue your work.
IMPORTANT: When transferring funds, carefully check the details to avoid errors and loss of funds. Your files will be decrypted only when transferring funds to our wallet.
FREE DECRYPT (JPG, BMP, PNG)
Free decrypt file
Free decrypt file key (key file is dropped nearby)
PAYMENT
Decryptor price: 300$
Pay in Bitcoin: bc1qxrjm8d7j857gnxcp9dys0q5lptsfccllvw0grr 0.029681 BTC
When funds reach one of these addresses, you automatically get decryption tool.
Chat.'
