Infected Ransomware

The Infected Ransomware is a newly uncovered file-encrypting Trojan. When cybersecurity researchers dissected the Infected Ransomware, it became clear that this threat is a variant of the rather popular Aurora Ransomware.

Spreading and Encryption

It is not yet known what infections vectors have the authors of the Infected Ransomware employed in the propagation of their threat. However, it is likely that emails containing macro-laced attachments, pirated copies of legitimate software, and fraudulent application updates may be among the propagation methods involved in the spreading of the Infected Ransomware. When the Infected Ransomware worms its way in your system, it will scan it so that it can establish the locations of the files, which it was programmed to target. Then, the Infected Ransomware will start encrypting all the data that was targeted. After undergoing the encryption process of the Infected Ransomware, the files which were locked will have their names altered. The Infected Ransomware appends a '.infected' extension at the end of the filenames of the affected files. For example, an audio file named 'A-Marines-Lovesong.mp3' will have its name changed to 'A-Marines-Lovesong.mp3.infected.'

The Ransom Note

The next step of the attack is the dropping of the ransom note. Unlike most ransomware threats, which drop only one note, the Infected Ransomware drops three ransom notes named '@@_FILES_ARE_ENCRYPTED_@@.txt,' '@@_HOW_TO_RETURN_DATA_@@.txt' and '@@_RECOVERY_INSTRUCTIONS_@@.txt.' All the notes have the same message:

'$$$$$$$$$$$$$$$$$$$$> CRYPTO LOCKER <$$$$$$$$$$$$$$$$$$$$ SORRY! Your files are encrypted. File contents are encrypted with random key. Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. In order to get private key, write here: backup@rape.lol =========== !ATTENTION! Attach file is 000000000.key from %appdata% to email message, without it we will not be able to decrypt your files =========== In the reply letter you will receive a unique decoder and instructions on what to do next. If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. We guarantee you file recovery if you do it right. $$$$$$$$$$$$$$$$$$$$> CRYPTO LOCKER <$$$$$$$$$$$$$$$$$$$$'

The authors of the Infected Ransomware do not mention what the ransom fee is. They give out an email address where one can contact them – 'backup@rape.lol.'

The good news is that the Infected Ransomware is decryptable, so that there is no reason even to consider paying up. However, even if there was no decryption tool available, it is never advisable to pay cyber criminals. It is crucial to have a reputable anti-malware application installed on your system, which will keep it safe from threats like the Infected Ransomware.