KIANO Ransomware
After analyzing the newly discovered threat, the KIANO Ransomware, infosec researchers determined that the KIANO Ransomware is a variant belonging to the NEFILIM Ransomware family. However, being a variant doesn't diminish the destructive capabilities of the malware. Any system infected by the KIANO Ransomware will be subjected to file encryption rendering nearly all files stored on it both unusable and inaccessible. The threat marks the files it encrypts by modifying their original names - it appends '.KIANO' as a new file extension. Afterward, ransom notes will be dropped onto the system as text files named 'KIANO-HELP.txt.' The ransom-bearing files will be generated in every folder containing locked data.
According to the note, before the encryption routine was initiated, the KIANO Ransomware collected data from the compromised systems and exfiltrated it to a remote server under the control of the hackers. If the victims refuse to meet the demands of the criminals, they threaten to start releasing the collected data to the public. In addition, victims still have to deal with their locked files. Without extensive backups, the only way to restore the files remains the decryption software possessed by the KIANO Ransomware operators.
To establish contact, users are left with three different email addresses - michaeldrumman1977@tutanota.com, jamescowworkingsa1988@tutanota.com, michaeldrumman1977@protonmail.com, and a link to a website accessible only via the TOR browser. Users also are allowed to send up to 2 locked files that will then supposedly be decrypted and sent back alongside further instructions.
The full text of KIANO Ransomware's note is:
'Two things have happened to your company.
Gigabytes of archived files that we deemed valuable or sensitive were downloaded from your network to a secure location.
When you contact us we will tell you how much data was downloaded and can provide extensive proof of the data extraction.
You can analyze the type of the data we download on our websites.If you do not contact us we will start leaking the data periodically in parts.
We have also encrypted files on your computers with military grade algorithms.
If you don't have extensive backups the only way to retrieve your data is with our software.Restoration of your data with our software requires a private key which only we possess.
To confirm that our decryption software works send 2 encrypted files from random computers to us via email.
You will receive further instructions after you send us the test files.
We will make sure you retrieve your data swiftly and securely and your data that we downloaded will be securely deleted when our demands are met.
If we do not come to an agreement your data will be leaked on this website.Website: hxxp://corpleaks.net
TOR link: hxxp://hxt254aygrsziejn.onionMail list:
michaeldrumman1977@tutanota.com
jamescowworkingsa1988@tutanota.com
michaeldrumman1977@protonmail.com.'
