Lizard (Phobos) Ransomware
Cybersecurity experts have uncovered another vicious malware threat based on the notorious Phobos Ransomware family. The threat is named the Lizard Ransomware and it can be used to lock the data stored on breached devices. The sufficiently strong encryption algorithm ensures that the restoration of the affected files without the correct decryption key will not be feasible practically.
When the Lizard Ransomware encrypts a file, it also changes drastically that file's original name. Affected users will notice that their files now have an ID string, an email address, and a new file extension appended to their names. The ID string is generated for each different victim, while the email address used by the threat is 'r3wuq@tuta.io.' The file extension is '.LIZARD.' As for the ransom note of the threat, the Lizard Ransomware drops two different messages. One will be displayed in a pop-up window created from an 'info.hta' file, while the other is contained inside a text file named 'info.txt.'
Ransom Note's Overview
The text file contains just a couple of sentences. It mainly instructs the victims of the threat to establish contact by messaging the 'r3wuq@tuta.io,' or, in case there is no answer after 24 hours, they should use a Telegram account at '@Online7_365.' The main ransom-demanding message is the one shown as a pop-up window. It reveals that the attackers will only accept payments made using the Bitcoin cryptocurrency. It also states that the threat actors are willing to decrypt up to 5 files for free. However, the chosen files must not contain any important information and should not exceed 4MB in total size.
The message found in the text file is:
'!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: r3wuq@tuta.io.
If we don't answer in 24h., send messge to telegram: @Online7_365'
The ransom note displayed by Lizard Ransomware in a pop-up window is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail r3wuq@tuta.io
Write this ID in the title of your message -
If you do not receive a response within 24 hours, please contact us by Telegram.org account: @Online7_365
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
