Intel Ransomware

Researchers have uncovered a new strain of ransomware known as the Intel Ransomware. This threatening software infiltrates devices, encrypting the stored data and demanding a ransom in exchange for the alleged decryption of the compromised information.

Notably, files affected by Intel ransomware undergo a renaming process. The original filenames are augmented with a unique identifier assigned to the victim, followed by '.[intellent@ai_download_file],' and concluded with the '.intel' extension. As an illustration, a file labeled initially '1.jpg' would be transformed into '1.jpg.id-9ECFA93E.[intellent@ai_download_file].intel' post-encryption.

Once the encryption process is completed, victims encounter ransom notes presented in both a pop-up window and as text files named 'README!.txt.' These text files are deposited within each encrypted folder and on the system's desktop. Analysis of the ransom note content reveals that the Intel Ransomware specifically targets companies and employs double extortion tactics. Furthermore, this threatening program is affiliated with the Dharma Ransomware family.

The Intel Ransomware Prevents Victims from Accessing Their Own Data

The Intel Ransomware demonstrates a comprehensive approach by encrypting both local and network-shared files while crucial system files remain unaffected to avoid rendering the system nonoperational. Notably, it employs a strategy to avoid double encryption by excluding files locked by other ransomware. However, this method is not foolproof, as it relies on a predefined list that may not encompass all known ransomware variants.

Furthermore, the Intel malware exhibits sophistication in its operation by closing processes associated with files that could be open, such as text file readers and database programs. This proactive measure aims to prevent conflicts for files deemed "in use," ensuring they are not exempted from encryption.

The Dharma family of ransomware, to which the Intel malware belongs, employs strategic tactics for infiltration and persistence. This includes turning off the firewall to facilitate infiltration and evade detection. Additionally, persistence-ensuring techniques involve:

• Copying the malware to the %LOCALAPPDATA% path.
• Registering it with specific Run keys.
• Configuring automatic initiation of the ransomware after each system reboot.

A notable aspect of the Dharma attacks is their potential for targeted actions. The programs associated with this family can gather geolocation data, allowing for exceptions in their attacks. This adaptability implies that infections may have political or geopolitical motivations, or they may purposefully avoid victims unlikely to meet ransom demands, especially in regions with weak economic conditions.

To further impede recovery efforts, the Intel Ransomware may delete the Shadow Volume Copies, hindering the restoration of previous versions of files. Based on extensive research into ransomware infections, it is evident that decryption without the intervention of the attackers is typically an insurmountable challenge.

The Intel Ransomware Uses Double-Extortion Tactics

The content in the text file serves as a brief notification to the victim, conveying that their data has been encrypted and collected. It prompts the victim to establish communication by sending an email to the attackers.

In contrast, the pop-up message provides more detailed information about the ransomware infection. It reiterates the encryption and data theft aspects, emphasizing the urgency of the situation. The ransom note issues a strict warning that failure to contact the cybercriminals within 24 hours or refusal to comply with the ransom demand will lead to the exposure of the stolen content on the dark web or its sale to competitors of the victim's company.

To demonstrate the possibility of recovery, the message offers a free decryption test to be conducted on a single file. The victim is also explicitly informed that seeking assistance from recovery companies could result in additional financial losses, as these intermediaries typically impose fees that are added to the ransom amount.

However, It is frequently observed that victims, even after complying with ransom demands, do not receive the promised decryption keys or software. Despite fulfilling the ransom requirements, there is no assurance of file recovery. Consequently, researchers strongly discourage paying the ransom, as it not only fails to guarantee the retrieval of files but also perpetuates and supports criminal activities. In addition, it's essential to understand that while removing ransomware can halt further encryption of data, the removal process does not automatically restore previously compromised files.

The Intel Ransomware displays the following ransom note as a pop-up window:

'intellent.ai We downloaded to our servers and encrypted all your databases and personal information!

If you do not write to us within 24 hours, we will start publishing and selling your data on the darknet on hacker sites and offer the information to your competitors
email us: intellent.ai@onionmail.org YOUR ID -
If you haven't heard back within 24 hours, write to this email:intellent.ai@onionmail.org

IMPORTANT INFORMATION!
Keep in mind that once your data appears on our leak site,it could be bought by your competitors at any second, so don't hesitate for a long time.The sooner you pay the ransom, the sooner your company will be safe..
we've looked at all of your reports and your company's revenue.
Guarantee:If we don't provide you with a decryptor or delete your data after you pay,no one will pay us in the future. We value our reputation.
Guarantee key:To prove that the decryption key exists, we can test the file (not the database and backup) for free.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Don't go to recovery companies - they are essentially just middlemen.Decryption of your files with the help of third parties may cause increased price (they add their fee to our) we're the only ones who have the decryption keys.

The text files created by Intel Ransomware contain the following message:

Your data has been stolen and encrypted!

email us

intellent.ai@onionmail.org'