GCNI Ransomware
Users should in no way underestimate the GCNI Ransomware's ability to cause damage. Infosec researchers have identified the GCNI Ransomware as being a variant from the Spora Ransomware family. The strong encryption algorithm employed by GCNI is capable of locking any of the numerous targeted file types completely. Victims who wish to restore access to their data are extorted by the attackers who will supposedly send the needed decryption key after being paid.
During its encryption process, GCNI modifies the names of the locked files significantly. It adds an ID string, an email address and a new file extension. The ID is unique for each victim, the email address is 'FilesRecoverEN@Gmail.com, and the file extension is '.GCNI.' The threat drops two ransom notes on the breached systems. One is contained inside a text file named 'Read_Me!_.txt' while the other will be displayed in a pop-up window.
Ransom Note's Overview
The two notes share much of the same details. They state the victims will need to pay a ransom using the Bitcoin cryptocurrency. They also should try to contact the hackers within 48 hours of the attack or risk having to pay double the initial ransom amount. If victims take too long to establish contact, the decryption key necessary for the restoration of their data will be deleted from the servers of the hackers, rendering the files unrecoverable.
The note mentions two email addresses that are under the control of the attackers - 'FilesRecoverEN@Gmail.com' and 'FilesRecoverEN@Onionmail.org.' As part of their message, victims are told to send a couple of locked files that should be decrypted and returned for free. The only requirements found in the note are that the files must be less than 2MB in size and should not contain any important information.
The message in the text file is:
'All Your Files Encrypted With Strongest Encryption Algorithm !
If You Really Need Your Files Please Send Us E-mail To Get Decryption Tools and Instructions
You Must Send Some Locked Files To Us For Decryption Test(Before Paying) !If You Do Not E-mail Us And Do Not Need Your Files After A whlie Our Servers Will Remove Your Decrypion Keys From Servers !!!
Your Unique ID:
Email Address: FilesRecoverEN@Gmail.comAttention!!!
Subject Your Unique IDDo Not Edit Or Rename Encrypted Files.
If You Do Not E-mail Us After 48 Hours Decryption Fee Will Double.
Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files.
In Case Of Trying To Decrypt Files With Third-Party Sofwares,This May Make The Decryption Harder So Prices Will Be Rise.The pop-up window displays the following instructions:
All Your Files Have Been Encrypted !
All Your Files Encrypted Due To A Security Problem With Your PC (With Strongest Encryption Algorithm). If You Really Need Your Files Please Send Us E-mail To Get Decryption Tools .
The Only Way Of Recovering Files Is To Purchase For Decryption Tools ( Payment Must Be Made With Bitcoin ) . If You Do Not E-mail Us After 48 Hours Decryption Fee Will Double.
If You Do Not E-mail Us And Do Not Need Your Files After A whlie Automatically Our Servers Will Delete Your Decrypion Keys From Servers !
Our E-mail Address : FilesRecoverEN@Gmail.com
Your Personal ID : -
Sent E-mail Should Be Contains Your Personal ID.If Don't Get a Response Or Any Other Problem Write Us E-mail At : FilesRecoverEN@Onionmail.org
Check Your Spam Folder Too.What Guarantee Do We Give You ?
You Can (Must) Send Some Files For Decryption Test( Before Paying ). File Size Must Be Less Than 2MB And Files Should Not Contains Valuabe Data Like (Backups , Databases etc … ) .How To Buy Bitcoins
Get Buy Bitcoin Instructions At LocalBitcoins :
hxxps://localbitcoins.com/guides/how-to-buy-bitcoins
Buy Bitcoin Instructions At Coindesk And Other Websites By Searching At Google :
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Attention !!
Do Not Edit Or Rename Encrypted Files.
Do Not Try To Decrypt Files By Third-Party Or Data Recovery Softwares It May Damage Files Forever.
In Case Of Trying To Decrypt Files With Third-Party,Recovery Sofwares This May Make The Decryption Harder So Prices Will Be Rise.'
