Gyga Ransomware
The Gyga Ransomware is the name of a new file-locker that is preying on unsuspecting users online. The data-encrypting Trojan belongs to the notorious Dharma Ransomware family. Instead of creating a file-locker from scratch, the creators of the Gyga Ransomware have opted to base this Trojan on the Dharma Ransomware. This helps them save both time and effort.
Propagation and Encryption
File-encrypting Trojans like the Gyga Ransomware, tend to target a wide list of filetypes to cause maximum damage to the host. This list is likely to include .mp3, .midi, .aac, .mid, .wav, .webm, .mov, .mp4, .jpeg, .jpg, .svg, .gif, .png, .xls, .xlsx, .ppt, .pptx, .doc, .docx, .txt, .pdf, .rar, .zip, .db and many other filetypes. This means that after the Gyga Ransomware is done encrypting your data, the majority of your files will be unusable. Upon locking a file, the Gyga Ransomware also alters its filename. This threat appends the extension a' .id-<VICTIM ID>.[gygabot@cock.li].gyga' to the name of the encrypted file. For example, a file named 'cashew-nuts.pdf' will be renamed to 'cashew-nuts.pdf.id-<VICTIM ID>.[gygabot@cock.li].gyga.' This file-locker assigns a unique victim ID to every affected user for easier differentiation. The Gyga Ransomware may be distributed via phishing emails, malvertising campaigns, torrent trackers, bogus application downloads and updates, fake social media posts, etc.
The Ransom Note
In the next phase of the attack, the Gyga Ransomware drops a ransom note on the infected host. The 'FILES ENCRYPTTED.txt' and 'info.hta' files contain the ransom message of the attackers. In the note, the Gyga Ransomware creators do not mention the ransom sum but make it clear that the payment should be processed via a Tor-based website, which they provide a link to. The attackers ask to be contacted via email – ‘gygabot@cock.li.'
There is no point in paying cybercriminals like the ones responsible for the Gyga Ransomware. You are likely to be left without anything, even if you pay the ransom fee demanded. Make sure you use a genuine, modern anti-virus software suite to remove the Gyga Ransomware from your PC.
