GrafGrafel Ransomware

Researchers have identified a malicious program known as GrafGrafel. This type of malware falls into the category of ransomware, a class of threatening software that encrypts data and demands payment for its subsequent decryption. Once executed on a victim's device, GrafGrafel encrypts numerous files stored on the system and modifies their filenames. The original titles of the files are appended with a unique ID assigned to the specific victim, the email address of the cybercriminals, and a '.GrafGrafel' extension. For example, a file originally named '1.doc' would be transformed into '1.doc.id[9ECFA84E-3511].[GrafGrafel@tutanota.com].GrafGrafel' after encryption. GrafGrafel has been identified as a variant within the Phobos Ransomware family.

After completing the encryption process, GrafGrafel deploys its ransom notes. One form of notification is presented as a pop-up generated from the 'info.hta' file, while text files named 'info.txt' are placed in all folders containing encrypted data, as well as on the desktop of the system. Analysis of the messages within these notes reveals that GrafGrafel specifically targets companies rather than individual home users. Furthermore, it employs double extortion tactics, indicating an enhanced level of sophistication in its strategy.

The GrafGrafel Ransomware also may Collect Sensitive Data from Victims

The content displayed in both the pop-up and text files is identical. It communicates that the victim's files have been encrypted, with the added threat that sensitive company data has been exfiltrated. The attackers demand a ransom, warning that failure to comply will result in the leaking of the stolen information and the continued inaccessibility of the locked data. These notes explicitly outline the risks associated with potential company data leaks. Notably, if the victim contacts the cybercriminals within a six-hour window, the ransom amount will be reduced by 30%.

Before making any payments, the victim is advised to test the decryption process on a few small files. The messages caution against actions that could result in permanent data loss, such as restarting or shutting down the system, modifying affected files, using third-party decryption tools, or seeking assistance from recovery companies or authorities.

The GrafGrafel ransomware encrypts both local and network-shared files, with critical system files remaining unaffected to ensure the infected system remains operational. While the Phobos Ransomware variants avoid double encryption by exempting files already locked by other ransomware, this process is not flawless due to a predetermined exemption list that may not cover all known data-encrypting malware.

Phobos variants also terminate processes associated with open files (e.g., database programs, file readers, etc.), preventing encryption exclusions on the grounds that the files are considered 'in use.' To further complicate recovery, GrafGrafel deletes the Shadow Volume Copies, eliminating default recovery options. The ransomware establishes persistence by copying itself to the %LOCALAPPDATA% path and registering itself with specific Run keys, ensuring automatic startup upon system reboot.

Additionally, Phobos attacks may be targeted, as the malware collects geolocation data. This information could be leveraged to assess the worthiness of expanding the infection based on factors such as geopolitical considerations or the economic strength of the victim's region.

Make Sure to Implement Sufficient Security Measures against Malware Threats

Users can implement various security measures on their devices to safeguard against malware attacks. Here are key recommendations:

• Use Anti-malware Software:
• Install professional security software and keep it up to date. Regularly schedule scans to detect and remove malware.
•  Keep Operating Systems Updated:
• Ensure that the operating system (OS) and all software applications are updated with the latest available security patches. Enable automatic updates when possible.
•  Enable Firewalls:
• Activate firewalls on both the device and network levels. Firewalls are useful in monitoring and controlling incoming and outgoing network traffic, providing an additional layer of defense.
•  Exercise Caution with Email Attachments and Links:
• Be cautious when handling email attachments or clicking on links, especially if the sender is unfamiliar. Use email filtering tools to help identify and filter out potentially malicious emails.
•  Use Strong, Unique Passwords:
• Always create strong and unique passwords for all accounts. At the same time, make sure to avoid using the same password across multiple accounts.
•  Regularly Backup Data:
• Regularly back up important data to an external device or a secure cloud service. In the event of a malware attack, having up-to-date backups can help restore lost or encrypted files.
•  Stay Informed:
• Keep track of the latest malware threats and security best practices. Regularly check for updates from security sources and be aware of common tactics used by cybercriminals.
•  Secure Wi-Fi Networks:
• Use strong encryption (e.g., WPA3) on home Wi-Fi networks. Change default router passwords and regularly update them. Avoid using public Wi-Fi for sensitive activities.

By combining these security measures, users can significantly enhance their protection against malware and other cyber threats. Additionally, cultivating a security-conscious mindset and staying vigilant are essential aspects of keeping a secure digital environment.

The full text of the ransom note presented to victims of GrafGrafel Ransomware is:

'!!! ATTENTION !!!

Your network is hacked and files are encrypted.
Including the encrypted data we also downloaded other confidential information: data of your employees, customers, partners, as well as accounting and other internal documentation of your company.

About Data
All data is stored until you will pay.
After payment we will provide you the programs for decryption and we will delete your data
We dont want did something bad to your company, it is just bussines (Our reputation is our money!)
If you refuse to negotiate with us (for any reason) all your data will be put up for sale.

What you will face if your data gets on the black market:
The personal information of your employees and customers may be used to obtain a loan or purchases in online stores.
You may be sued by clients of your company for leaking information that was confidential.
After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify.
Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered.
You will forever lose the reputation.
You will be subject to huge fines from the government.
You can learn more about liability for data loss here: hxxps://en.wikipedia.org/wiki/General_Data_Protection_Regulationor here hxxps://gdpr-info.eu
Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you.
Contacting the police will not save you from these consequences, and lost data, will only make your situation worse.

How to contact us
Write us to the mails: GrafGrafel@tutanota.com
You can contact our online operator in telegram: @GROUNDINGCONDUCTOR (BE CAREFUL ABOUT FAKE)
Download the (Session) messenger hxxps://getsession.org in messenger :ID"05bc5e20c9c6fbfd9a58bfa222cecd4bbf9b5cf4e1ecde84a0b8b3de23ce8e144e"
Write this ID in the title of your message -
IF YOU WILL CONTACT US IN FIRST 6 hours , and we close our deal in 24 hours , PRICE WILL BE ONLY 30%.
(time is money for both of us , if you will take care about our time , we will do same , we will care of price and decryption process will be done VERY FAST)
ALL DOWNLOADED DATA WILL BE DELETED after payment.

What no to do and recomendation
You can get out of this situation with minimal losses (Our reputation is our money!) !!! To do this you must strictly observe the following rules:
DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible.
DO NOT use any third party or public decryption software, it may also DAMAGE files.
DO NOT Shutdown or Reboot the system this may DAMAGE files.
DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations.
You can send us 1-2 small data not value files for test , we will decrypt it and send it to you back.
After payment we need no more that 2 hours to decrypt all of your data. We will be support you untill fully decryption going to be done! ! ! (Our reputation is our money!)

Instructions for contacting our team:
Download the (Session) messenger (hxxps://getsession.org) in messenger :ID"05bc5e20c9c6fbfd9a58bfa222cecd4bbf9b5cf4e1ecde84a0b8b3de23ce8e144e"
Telrgram : @GROUNDINGCONDUCTOR (BE CAREFUL ABOUT FAKE)
MAIL:GrafGrafel@tutanota.com'