The MS13 Ransomware is a new variant of the Dharma Ransomware that was identified on April 3rd, 2019. The MS13 Ransomware is produced via the Dharma Ransomware Builder that was created in 2017 as the Dharma developers transitioned into a new business model. The Dharma developers offer customized copies of the ransomware to cybercriminals who are willing to distribute it and help the Dharma Ransomware grow. The MS13 Ransomware is one of many variants that might arrive on computers via spam emails and harmful advertisements. The MS13 Ransomware is known to encode data and remove the Shadow Volume snapshots made by Windows. Affected data receives the .'id-[8 random chars].[firstname.lastname@example.org].ms13' extension and PC users are unable to read photos, play music/videos, edit documents and load databases. For example, 'Lake Titicaca.jpeg' is renamed to id-14MLRNT8.[email@example.com].ms13' and a ransom note titled 'FILES ENCRYPTED.txt' is dropped to the desktop directory. The enclosed message can be found below:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail firstname.lastname@example.org
Write this ID in the title of your message [8 random chars]
In case of no answer in 24 hours write us to theese e-mails: email@example.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.'
As you can notice above, the threat actors operate the 'firstname.lastname@example.org' and the 'email@example.com' email accounts alongside the MS13 Ransomware. You should note that the 'ms13' file extension may be consistent across the various versions of the Trojan, but users may be directed to email accounts different from those listed here. Paying the ransomware actors is not a good idea, and you may wish to use data backups, system recovery images, and cloud services to rebuild your files structure. Removing the MS13 Ransomware should not be difficult if you are using a reputable anti-malware tool.