Gendarmerie Ransomware
The Gendarmerie Ransomware is an encryption ransomware Trojan that impersonates the law enforcement, similar to ransomware Trojans that impersonate the FBI and target computer users in the United States. In the case of the Gendarmerie Ransomware, the entity being impersonated is the FBI equivalent in France, and victims of the Gendarmerie Ransomware attack are generally in this country. The Gendarmerie Ransomware is delivered to victims using phishing email messages that include social engineering tactics designed to trick computer users into opening corrupted file attachments.
Table of Contents
How the Gendarmerie Ransomware Carries out Its Attack
The Gendarmerie Ransomware is a variant of Hidden Tear, an open source ransomware platform that has generated countless ransomware variants since its initial release in August 2015. The Gendarmerie Ransomware encrypts the victim's files, looking for files with commonly used extensions such as the following:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
Once the victim's files have been encoded by using the AES 256 encryption, they become inaccessible. The Gendarmerie Ransomware takes the victim's files hostage. The Gendarmerie Ransomware adds the file extension '.hacking' to each affected file, which becomes unreadable by the victim's software or operating system.
The Gendarmerie Ransomware’s Ransom Demand
The Gendarmerie Ransomware delivers a ransom note in the form of a text file named 'Message_Important.txt,' which is exhibited on the infected computer's desktop when the Gendarmerie Ransomware finishes encrypting the files. The full text of the Gendarmerie Ransomware ransom note reads:
'instruction à faire pour récupérer la clé de décryptage de vos fichiers crypter
email de contact : fbi-cybercrimedivision@hotmail.com
1) acheter des coupons neosurf de 100€ ,euros .
2) vous pouvez acheter les coupons neosurf ici https://www.recharge.fr/carte-neosurf
3) vous pouvez aussi acheter les coupons neosurf ici https://www.neosurf.com/fr_FR ou dans les bureaux de tabac
4) dès que je reçois les coupons neosurf ,je vous envoie la clé de décryptage par email.
Contact Email : fbi-cybercrimedivision@hotmail.com'
Translated into English, here is the text of the Gendarmerie Ransomware ransom note:
'instruction on how to recover the decryption key for your encrypted files
contact email: fbi-cybercrimedivision@hotmail.com
1) buy neosurf coupons of 100 €, euros.
2) you can buy neosurf coupons here hxxps://www.recharge.fr/neosurf-card
3) you can also buy neosurf coupons here hxxps://www.neosurf.com/en_US or at tobacco booths
4) As soon as I receive the neosurf coupons, I send you the decryption key by email.
Contact Email: fbi-cybercrimedivision@hotmail.com'
As is clear, the Gendarmerie Ransomware is impersonating the police. Needless to say, there is no connection between the Gendarmerie Ransomware and any legitimate law enforcement services. The Gendarmerie Ransomware's ransom note is clearly a tactic designed to force computer users to pay a ransom amount. PC security researchers advise computer users to ignore any of the claims in the Gendarmerie Ransomware's ransom note and to refrain from paying the 'fine' or contacting the criminals at the provided email address.
Protecting Your Files from Attacks Like the Gendarmerie Ransomware
The best protection against the Gendarmerie Ransomware and similar encryption ransomware Trojans is to have file backups. Having backup copies of their files means that victims can restore your files without having to contact the con artists. Unfortunately, the encryption method used is quite strong, and it may be impossible with current technology to restore the files if one does not have access to the decryption key. File backups, coupled with a reliable security program are the best protection against the Gendarmerie Ransomware and similar threats.
