Lexus Ransomware
Ransomware is a type of threatening software designed to prevent access to a computer or data until a ransom is paid. This form of cyberattack often involves the encryption of the victim's files, rendering them inaccessible and demanding a ransom for their release.
The Lexus Ransomware is a specific malware threat that locks victims' data by encrypting a wide range of files, making them unusable and inaccessible. The primary objective of the cybercriminals behind Lexus is to extort victims by demanding a ransom payment for the chance to restore their files. Beyond encryption, Lexus also renames files and generates two ransom notes, 'info.txt' and 'info.hta'. Security researchers have identified the Lexus Ransomware as a variant of the Phobos Ransomware family.
When renaming files, Lexus appends the victim's ID, the email address 'emily.florez@zohomail.com', and the. 'Lexus' extension to the original filenames. For example, '1.doc' becomes '1.doc.id[9ECFA74E-3506].[emily.florez@zohomail.com].Lexus', and '2.pdf' changes to '2.pdf.id[9ECFA74E-3506].[emily.florez@zohomail.com].Lexus'.
Table of Contents
The Lexus Ransomware Seeks to Extort Ransom Payments from Victims
The ransom note from the Lexus Ransomware informs the victim that their data has been encrypted and exfiltrated by the attackers. To regain access to their data, victims must obtain specific decryption software provided by the cybercriminals. The note warns that attempting to decrypt the data independently or using third-party software could lead to permanent data loss. Additionally, the note promises that upon payment, the data will be deleted and will not be sold or used wickedly.
However, the note also threatens that if the victim does not respond within two days, the exfiltrated data will be shared with interested parties. It provides two email addresses as communication channels with the attackers (emily.florez@zohomail.com and barbara.li@gmx.com) and advises against renaming any encrypted files.
The Phobos Ransomware Family Is Often Utilized by Cybercriminals
Ransomware from the Phobos family is notorious for encrypting both local and network-shared files, disabling firewalls, and deleting the Shadow Volume Copies. These variants typically spread through insecure Remote Desktop Protocol (RDP) services.
To maintain their presence on the infected system, the Phobos Ransomware variants duplicate themselves into specific directories and register with designated Run keys in the Windows registry. They also collect location data and may exclude certain locations from the encryption process.
Take a Comprehensive Security Approach Against Malware and Ransomware
To effectively safeguard against malware and ransomware, users should embrace a comprehensive security approach that includes the following measures:
Regular Backups:
Frequent Backups: Regularly back up all important data to external drives or cloud storage. Ensure that backups are kept offline or in a secure, remote location to prevent them from being compromised during an attack.
Test Restorations: If possible, periodically test the restoration process to confirm that backups are functioning correctly and data can be recovered.
Up-to-date Software:
Operating System Updates: Keep the operating system as well as any installed software up to date with the latest patches.
Automatic Updates: Enable automatic updates where possible to ensure timely application of security patches.
Strong Security Software:
Anti-malware: Install reputable anti-malware software that offers real-time protection against threats.
Firewall Protection: Use a robust firewall to block unauthorized access to your network and systems.
Secure Configuration:
Restrict RDP Access: Disable Remote Desktop Protocol (RDP) if not needed, or secure it by using strong passwords, multi-factor authentication (MFA), and limiting access through a virtual private network (VPN).
Least Privilege Principle: Execute the principle of least privilege by limiting user access rights to the minimum necessary for their role.
Email and Web Security:
Email Filtering: Use email filtering solutions to block phishing emails and malicious attachments.
Web Filtering: Implement web filtering to restrict access to known malicious websites and prevent drive-by downloads.
User Education and Awareness:
Educating Programs: Conduct regular training sessions to educate users about the dangers of malware and ransomware, including how to acknowledge phishing attempts and avoid unsafe practices.
Simulated Attacks: Perform simulated phishing attacks to test and improve user awareness.
By integrating these measures into a comprehensive security strategy, users can significantly enhance their defenses against malware and ransomware, reducing the risk of infection and decreasing the impact of any potential attacks.
The full text of the ransom note left by the Lexus Ransomware is:
'Your data is encrypted and downloaded!
Unlocking your data is possible only with our software.
Important! An attempt to decrypt it yourself or decrypt it with third-party software will result in the loss of your data forever.
Contacting intermediary companies, recovery companies will create the risk of losing your data forever or being deceived by these companies.
Being deceived is your responsibility! Learn the experience on the forums.Downloaded data of your company.
Data leakage is a serious violation of the law. Don't worry, the incident will remain a secret, the data is protected.
After the transaction is completed, all data downloaded from you will be deleted from our resources. Government agencies, competitors, contractors and local media
not aware of the incident.
Also, we guarantee that your company's personal data will not be sold on DArkWeb resources and will not be used to attack your company, employees
and counterparties in the future.
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed.
Your data will be sent to all interested parties. This is your responsibility.Contact us.
Write us to the e-mail:emily.florez@zohomail.com
In case of no answer in 24 hours write us to this e-mail:Barbara.li@gmx.com
Write this ID in the title of your message: -
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed.
Your data will be sent to all interested parties. This is your responsibility.Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
