Exx Ransomware
The Exx Ransomware is a new threat targeting vulnerable computers. The threat is capable of affecting a wide range of file types, ensuring that it causes the maximum possible damage to the infected device. Victims of the Exx Ransomware will be prevented from accessing or using any of their personal or work-related files. The targeted files will be encrypted with a strong cryptographic algorithm and will have '.exx' appended to their original names. Upon completing its encryption process, the Exx Ransomware will move on to delivering its ransom note.
The instructions left by the cybercriminals will be dropped in multiple forms, ensuring that the victims of the malware see them as soon as possible. The Exx Ransomware will first substitute the default desktop wallpaper with a new image named 'HELP_RESTORE_FILES.bmp.' The ransom note also will be placed inside text files named 'HELP_RESTORE_FILES.txt.' Finally, a pop-up window will be created on the Desktop screen.
The different notes vary a bit, but, in essence, contain the same message - the files on the system were encrypted with the RSA-2048 encryption algorithm and the decryption key is stored on a remote server. To restore the data, users will have to reach out to cybercriminals and meet their demands. The Exx Ransomware provides public links to a dedicated website and a direct link that is only accessible through the TOR browser. Furthermore, the pop-up window displays a countdown timer that according to the message shows the time that the decryption key will be saved on the server. After the timer reaches zero, the key will supposedly be deleted making the restoration of the locked files virtually impossible.
The full text of the pop-up note is:
'All your important files have been encrypted!
Your personal files(including those on the network disks, USB, etc) have been encrypted:
photos, videos, documents, etc. Click "Show files" Button to view a complete list of encrypted files,
and you can personally verify this.
Encryption was made using a unique strongest RSA-2048 public key generated for this computer.
To decrypt files you need to acquire the private key.
The only copy of the private key, which will allow you to decrypt your files,is located on a secret TOR
server in the Internet; the server will eliminate the key after a time period specified in this window.
Once this has been done, nobody will ever be able to restore your files…
In order to decrypt files press button to open your personal page and follow the instruction.
[File decryption button]
in case of "File decryption button" malfunction use one of public gates:
hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com or
hxxps://iq3ahijcfeont3xx.tor2web.blutmagie.de
Use you Bitcoin address to enter the site: 15Wgt4Fpgg6Mxai1BJ3yUJrznL9w79FJpm
[Click to copy Bitcoin address to clipboard]
if both button and reserve gates not opening, please follow these steps:
You must install TOR browser www.torproject.org/projects/torbrowser.html.en
After installation,run the browser and ender address iq3ahijcfeont3xx.onion
Follow the instructions on the web-site. We remind you that the sooner you do so,
the more chances are left to recover the files.
There is no other way to restore your files except of making the payment.
Any attempt to remove or corrupt this software will result in immediate
elimination of the private key by the server.
[Show files] [Enter Decrypt Key]
The message in the wallpaper image and the text file is identical and it states:
All your documents, photos, databases and other important files have been encrypted
with strongest encryption RSA-2048 key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
If you see the main encryptor red window, examine it and follow the instructions.
Otherwise, it seems that you or your antivirus deleted the encryptor program.
Now you have the last chance to decrypt your files.
Open in your browser one of the links:
hxxp://iq3ahijcfeont3xx.fenaow48fn42.com
hxxp://iq3ahijcfeont3xx.sm4i8smr3f43.com
hxxps://iq3ahijcfeont3xx.tor2web.blutmagie.de
They are public gates to the secret server.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
15Wgt4Fpgg6Mxai1BJ3yUJrznL9w79FJpm
Follow the instructions on the server.
If you have problems with gates, use direct connection:
- Download Tor Browser from hxxp://torproject.org
- In the Tor Browser open the hxxp://iq3ahijcfeont3xx.onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
15Wgt4Fpgg6Mxai1BJ3yUJrznL9w79FJpm
Follow the instructions on the server.'
