Group Ransomware
Ransomware threats keep emerging daily, and malware researchers are struggling to keep up with all the new data-locking Trojans that keep popping up. Even shady individuals with little to no experience in the field of cyber crime can develop and distribute their own ransomware threats if they borrow the code of already well-established file-encrypting Trojans and only tweak it a little bit.
Propagation and Encryption
This is precisely the case of the Group Ransomware. Once malware experts spotted this threat, they made sure to dissect it only to reveal that this is a variant of the popular Dharma Ransomware. They have not been able to confirm what are the exact infection vectors employed in the propagation of the Group Ransomware. Some believe that the likely propagation methods used in the spreading of this ransomware threats may be bogus application updates, spam email campaigns, and fake pirated variants of popular software. Regardless of how the Group Ransomware ends up on one's PC, its first job will be to scan the host. The scan is meant to determine the locations of the files which will be marked for encryption. Next, the Group Ransomware will begin locking all the targeted files. Once the Group Ransomware encrypts a file, it will also change its name. The Group Ransomware adds a '.id-
The Ransom Note
When the encryption process is through, the Group Ransomware will drop its ransom note. The note is likely named 'info.hta' or 'RETURN FILES.txt' and states:
All FILES ENCRYPTED "RSA1024"
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL cybergroup1@aol.com
IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00
IF YOU ARE NOT ANSWERED, WRITE TO email:cybergroup1@aol.com
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
In the note, the authors of the Group Ransomware claim that if the user does not contact them in the period of seven days, their decryption key will be wiped off. The creators of the Group Ransomware claim to be willing to unlock one file free of charge (as long as it does not exceed 1MB in size) to prove that they have a functioning decryption key. The attackers fail to mention a specific sum regarding the ransom fee. It is likely that once the victim gets in touch with them, they will reveal what the ransom fee is and how the user is meant to process the payment. There is one email address provided is 'cybergroup1@aol.com.'
It is never a good idea to contact shady individuals like the authors of the Group Ransomware. Such people are not to be trusted. A safer approach would be downloading and installing a legitimate anti-virus solution and use it to wipe off the Group Ransomware from your system.
