NaS Ransomware

NaS Ransomware Description

Cybercriminals are still creating new ransomware threats based on the Dharma malware family. Despite being simple variants with no expanded functionalities, the danger posed by these threats should not be underestimated. One of the latest to be discovered by infosec researchers is named the NaS Ransomware. Its encryption process employs an uncrackable cryptographic algorithm and it makes the restoration of the affected files without access to the decryption key nearly impossible.

As part of its encryption process, the threat marks all locked files by modifying their original names. The NaS Ransomware appends a string representing the ID assigned to the specific victim, followed by an email address under the control of the hackers, and finally, '.NaS' as a new file extension. The email address in question is 'fastnas@fea.st.'

The ransom-demanding message of the threat is presented in two different forms despite having identical text. Users will be shown a pop-up window while a 'FILES ENCRYPTED.txt' text file will be dropped on the system.

Ransom Note's Details

As is typical for the Dharma Ransomware variants, the text file contains an extremely short message that simply tells the affected users to establish contact by messaging the emails of the attackers. In NaS' case, the email addresses are 'fastnas@fea.st' or 'gds134s@mm.st.' The main ransom note is delivered via the pop-up window. It provides far more details such as stating that the ransom payment must be made using the BItcoin cryptocurrency. The exact amount demanded by the hackers is supposed to be based on how fast the victims establish contact with them.

In addition, affected users can send a single encrypted file that will supposedly be unlocked for free. The file, however, must be less than 1MB in size and should not contain any valuable data.

The full text displayed in the pop-up window is:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail fastnas@fea.st
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:gds134s@mm.st
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The message contained in the text file is:

all your data has been locked us
You want to return?
Write email fastnas@fea.st or gds134s@mm.st
.'

Related Posts