Gray Hat Ransomware
The Gray Hat Ransomware (also tracked as Clay Ransomware), is a threat created by cybercriminals to perform one main task - locking the files stored on the compromised devices. Victims will be left unable to either access or use the affected data as it will be encrypted with a strong cryptographic algorithm. The potentially restore their files, victims will need the decryption key that only the attacks possess.
Whenever Gray Hat Ransomware locks a file from its list of targeted file types, it marks it by appending '.clay' to that file's original name as a new extension. When all suitable files are encrypted, the threat will generate a pop-up window containing its ransom note. An identical message also will be dropped on the breached system as a text file named '_RECOVER__FILES.clay.txt.'
Ransom Note's Details
Looking at the pop-up window created by Gray Hat Ransomware, the first thing victims will see is the total number of their files that have been encrypted. Then the hackers state that they want to receive a ransom of exactly 0.01 BTC (Bitcoin). The Bitcoin cryptocurrency is notorious for its volatility but, at the current exchange rate, the ransom amounts to $500 approximately. The funds are supposed to be transferred to the crypto-wallet address mentioned in the note. Afterward, victims are instructed to contact the attackers via the 'Clay_whoami_1@protonmail.ch email address.'
The pop-up window disp0lays the following instructions:
'HACKED BY CLAY
GRAY HAT
!Your files (-) have been encrypted
In order to recover your data…Please send 0.01 Bitcoin(s) to the following BTC address:
Next, E-mail your transaction ID to the following address:
Clay_whoami_1@protonmail.ch.'
The text file created by Gray Hat Ransomware delivers the following message:
'All of your files have been encrypted.
To unlock them, please send 0.01 bitcoin(s) to BTC address:
Afterwards, please email your transaction ID to: Clay_whoami_1@protonmail.chThank you and have a nice day!'