Lsas Ransomware

It seems that cybercriminals are still using the infamous Dharma Ransomware to create new malware threats to infect users' computers. The latest variant to be spawned from this malware family is being tracked by infosec experts as the Lsas Ransomware. Despite being a variant without any significant improvement over the other Dharma variants, the Lsas Ransomware's ability to cause destruction should not be underestimated.

Upon being deployed on the compromised systems, the Lsas Ransomware will initiate a strong encryption process that will lock numerous files stored there. A wide range of file types will be rendered unusable. Victims will no longer have access to their documents, archives, databases, PDFs and more.

During the encryption process, each affected file will have a unique ID string, an email address, and a new file extension appended to its original name. The specific email used by the threat is 'sekurlsa@ml1.net' while the file extension is '.lsas.' After completing its threatening task, the threat will drop two ransom-demanding messages from the attackers.

Ransom Note's Details

Following the typical Dharma behavior, the Lsas Ransowmare also delivers two different ransom notes to its victims. First, the threat creates a text file named 'FILES ENCRYPTED.txt.' It contains only a couple of sentences that direct users towards contacting the two email addresses of the hackers - 'sekurlsa@ml1.net' and 'sekurlsa@mm.st.' However, the main set of instructions will be presented in a pop-up window. It reveals that the ransom payment must be made using the Bitcoin cryptocurrency and users are allowed to send a single file to be decrypted for free. However, the chosen file must be less than 1MB in size and should not contain any important data.

The full text shown in the pop-up window is:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail sekurlsa@ml1.net
Write this ID in the title of your message 1E857D00
In case of no answer in 24 hours write us to theese e-mails:sekurlsa@mm.st
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The text file contains the following message:

'all your data has been locked us
You want to return?
'Write email sekurlsa@ml1.net or sekurlsa@mm.st'