Magic Ransomware
The Magic Ransomware is classified as a variant of the Phobos Ransomware family. The Magic Ransomware hasn't changed much compared to other members of the Phobos Ransomware family. However, its potential to cause a lot of damage to the users and the machines it infects is still active and the Magic Ransomware is still a potent threat that can keep users out of their own computers effectively. By employing an uncrackable encryption algorithm, the Magic Ransomware will render nearly all files stored on the compromised computer inaccessible and unusable. The Magic Ransomware will then try to extort its victims by promising to exchange the decryption key necessary to release the locked data for a ransom fee.
The Magic Ransomware will change the names of the affected files drastically. It will append a new file extension, '.magic,' to the original name of every encrypted file. The email addresses that should be used to contact the people behind the Magic Ransomware are 'midnight@email.tg and dark_day@cyberfear.com. It also gives the option to use the Tox chat. As soon as the encryption routine is ready, the Magic Ransomware drops its ransom note with instructions to the victims. The message has two versions - a shorter one contained in text files named 'info.txt' and a more extended set of instructions, info.hta, that will be displayed in a pop-up window.
The exact amount demanded by the hackers controlling the Magic Ransomware is not mentioned, but it says that the sum will depend on how fast the victims initiate communication. The Magic Ransomware's victims are allowed to attach three non-important files that do not exceed 4MB in total size to their messages. The hackers will decrypt these files for free, presumably as a demonstration of their ability to restore all locked data. It is still not recommended to engage in negotiations with cybercriminals, as that could expose users to further security threats.
The text displayed in the 'info.hta' file created by Magic Ransomware is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail midnight@email.tg
Write this ID in the title of your message
In case of no answer in 24 hours write us to this e-mail:dark_day@cyberfear.com
Or write us to the TOX messenger: FF06B9D86CCB0CE9D9AB2B9D26DA1765A134BE2 EB2604157233090C1FBB4960B91D235AE736A
You can download TOX messenger here hxxps://tox.chat/
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.The content of the 'info.txt' file is:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: midnight@email.tg.
If we don't answer in 24h, send e-mail to this address: dark_day@cyberfear.com
Or write us to the TOX messenger: FF06B9D86CCB0CE9D9AB2B9D26DA1765A134BE2 EB2604157233090C1FBB4960B91D235AE736A'
