FORCE Ransomware
During an examination of potential malware threats, researchers uncovered the FORCE Ransomware. Once it infiltrates a device, FORCE initiates encryption across various file types, encompassing images, documents, spreadsheets and more. The attackers' objective is to hold the encrypted data hostage and coerce affected victims into paying for its decryption. To identify victims and establish communication, the ransomware appends unique identifiers, the cyber criminals' email addresses, and a '.FORCE' extension to the filenames of encrypted files. For example, a file initially named '1.png' would be transformed into '1.png.id[9ECFA74E-3545].[data199@mailum.com].FORCE.'
Upon completion of the encryption process, the system displays identical ransom notes in two formats: a pop-up window ('info.hta') and a text file ('info.txt'). These messages appear on the desktop and within all directories containing encrypted files. Further analysis revealed that FORCE belongs to the Phobos Ransomware family.
Table of Contents
The FORCE Ransomware Extorts Victims for Money
The ransom notes issued by FORCE emphasize that the victim's files have been encrypted and that sensitive data has been compromised. To supposedly regain access to their files, the victim is instructed to pay a ransom using only the Bitcoin cryptocurrency. Failure to comply with the listed demands will result in the sale of the stolen information. Before making any payments, the victim is given the option to test the decryption process for free, albeit with certain limitations.
The messages caution against altering the encrypted files or using third-party recovery tools, as such actions may render the data irretrievable. Additionally, the victim is warned that seeking assistance from third parties could escalate their financial losses.
The FORCE Ransomware Takes Measures to Prevent Easy Recovery of Locked Data
This threatening program, part of the Phobos Ransomware family, is known for its methodical approach to encryption. Unlike some ransomware variants that render infected machines completely inoperable, the Phobos malware selectively targets files for encryption, avoiding critical system files to ensure the system remains functional. It encrypts both locally stored files and those shared over networks and terminates processes associated with open files to prevent exemptions based on files being 'in use,' such as database programs or text file readers.
To prevent double encryption, the Phobos Ransomware maintains an exclusion list of popular ransomware programs. Files already locked by software on this list remain unaffected. Additionally, Phobos deletes the Shadow Volume Copies, a common recovery option, to further thwart attempts at data restoration.
To ensure persistence on the breached devices, the malware copies itself to the %LOCALAPPDATA% path and registers with specific Run keys, ensuring it automatically starts with each system reboot. Interestingly, Phobos ransomware might refrain from attacking devices based on their geolocation, particularly those in economically weak regions or geopolitically-aligned countries.
Decrypting data locked by ransomware without the intervention of cyber criminals is typically impossible. Even if victims comply with ransom demands, there's no guarantee they'll receive the promised decryption keys or software. Therefore, paying the ransom not only fails to guarantee data recovery but also perpetuates illegal activities.
While removing ransomware from the operating system prevents further encryption, it doesn't restore compromised files. The only reliable solution is to recover files from a backup if one is available.
Don’t Take Chances with the Safety of Your Devices and Data
Users can enhance the defense of their data and devices against ransomware threats by implementing a multi-layered approach to cybersecurity. Here are some effective strategies:
- Keep Software Updated: Regularly update operating systems, software applications, and antivirus programs to patch security vulnerabilities and protect against known exploits. Enable automatic updates whenever possible.
- Install Trustworthy Security Software: Use reputable anti-malware software to detect and remove ransomware and other harmful threats. Ensure that the antivirus software is updated frequently to recognize the latest threats.
- Exercise Vigilance with Email Attachments and Links: Be wary of suspicious emails, especially those from unknown senders or containing unexpected attachments or links. Try not to access links or download attachments from unsolicited emails, as they may contain ransomware or other malware.
- Backup Data Regularly: Set up a robust backup strategy by regularly backing up important data to an external hard drive, cloud storage service or network-attached storage (NAS) device. Make sure that backups are stored securely and are not directly accessible from the primary system to prevent them from being encrypted by ransomware.
- Use Strong, Unique Passwords: Create strong, complex passwords for all accounts and do not use the same password across multiple accounts. Consider the possibility of using a reputable password manager to generate and store passwords securely.
- Enable Two-Factor Authentication (2FA): Enable two-factor authentication to maximize the security of your accounts. 2FA requires users to include a second form of verification, such as their password or a code sent to their mobile device.
- Educate Users: Educate yourself and others about the hazards of ransomware and how to recognize and avoid potential threats. Train employees on effective practices for cybersecurity, including how to reecognize phishing emails and suspicious websites.
- Limit User Privileges: Restrict user privileges to only what is necessary for their job function. Limiting user permissions can help prevent ransomware from spreading laterally across networks and accessing sensitive data.
By adopting these proactive measures, users can lessen the opportunities of falling victim to ransomware attacks and better protect their data and devices significantly.
The ransom note dropped by FORCE Ransomware is:
'Your files are encrypted.
AYour data has been compromised, important data has been stolen for the next sale in case of non-payment. But you have the opportunity to return everything.
Write to e-mail: data199@mailum.com
Write this ID in the title of your message -
Or write us to the TOX messenger: F9B62A229F748C0211804208C4229133B1D395CC746C3ACBF80255D2E4484F03306DA0FE3ACB
You can download TOX messenger here hxxps://tox.chat/
Payment for decryption is accepted only in Bitcoin. After payment, I will provide you with the key and complete decryption instructions.Free decryption as guarantee
Decryption guarantee: you can send to me any 2 files with SIMPLE extensions(jpg,txt,doc, not databases!) and low sizes(max 1 mb), i will decrypt them and send back to you. This is my guarantee.
I don't want to deceive you, I want to earn money. You pay me and continue your work. My honest name is more important than a one-time deception.How to obtain Bitcoins
Contact me and I will give you instructions on how to purchase bitcoins.Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The intermediary can also convince you that they can restore your data themselves without contacting us, this is not true, any recovery takes place only with my key.'
