File Ransomware
Cybersecurity researchers are warning users about a hurtful ransomware threat named the File Ransomware. The File Ransomware is capable of locking numerous different file types, effectively stopping users from accessing their own data. The attackers can use the encrypted files as leverage to extort money from their victims. Although the File Ransomware has been confirmed to be a variant from the Phobos malware family, its capacity to cause damage remains significant.
Victims of the File Ransomware will notice that all affected files have significantly modified names. Indeed, the File Ransomware adds an ID string, an email address controlled by the attackers, and '.FILE' to the names of the encrypted files. In addition, the malware will drop two new files on the breached device. Named 'info.hta' and 'info.txt,' these files are tasked with carrying the attackers' ransom notes.
The .hta file is used as a source for a pop-up window. However, the ransom-demanding message displayed in it is extremely short and mostly contains information on how victims can contact the cybercriminals. The note mentions two email addresses - 'teamchic@yandex.com' and 'teamchica@yandex.com,' as well as two Jabber accounts - 'teamchic@jabb.im' and 'teamchic@exploit.im.'
The full set of instructions left by the File Ransomware can be found in the threat's text file. It notifies victims that the amount demanded as a ransom will be based on how soon they reach out to the attackers. Furthermore, only payments in Bitcoin will be accepted. The hackers also state that they are willing to decrypt up to 5 files for free. However, the chosen files must have a total size of less than 4MB and should not contain any important data.
The ransom note delivered as a text file is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail teamchic@yandex.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:teamchica@yandex.com
If there is no response from our mail, you can install the Jabber client and write to us in support of teamchic@jabb.im or teamchic@exploit.im
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Jabber client installation instructions:
Download the jabber (Pidgin) client from hxxps://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click "Add"
In the "Protocol" field, select XMPP
In "Username" - come up with any name
In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im
Create a password
At the bottom, put a tick "Create account"
Click add
If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - hxxps://www.youtube.com/results?search_query=pidgin+jabber+installAttention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.The message shown as a pop-up window is:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: teamchic@yandex.com.
If we don't answer in 24h., send e-mail to this address: teamchica@yandex.com
If there is no response from our mail, you can install the Jabber client and write to us in support of teamchic@jabb.im or teamchic@exploit.im'
