Threat Database Ransomware '' Ransomware

'' Ransomware

By GoldSparrow in Ransomware

The '' Ransomware is an encryption ransomware Trojan that was first observed on February 9, 2019. The '' Ransomware is a variant of the BlackHeart Ransomware and is the third release in a family of ransomware that first appeared in November 2018. The '' Ransomware carries out a typical encryption ransomware attack, using the AES encryption to make victims' files inaccessible and then demanding a ransom payment to restore access to the affected files.

How the '' Ransomware Carries Out Its Attack

Threats like the '' Ransomware are commonly delivered to the victims via corrupted spam email attachments, often containing embedded macro scripts that download and install the '' Ransomware onto the victim's computer. Once installed, the '' Ransomware uses the AES encryption to target the user-generated files on the infected PC, which may include a wide variety of media files, documents, databases, configuration files, and numerous other file types. Samples of the files that threats like the '' Ransomware target in these attacks include:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '' Ransomware will mark the files targeted by its attack with the extension '.hmr,' which is included in each affected file's name, making it easy to identify which content has been compromised by the '' Ransomware attack.

The '' Ransomware Ransom Demand

The '' Ransomware delivers its ransom note in a program window displayed on the infected computer. The '' Ransomware's ransom note appears in red text over a black background and reads as follows:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want tot restore them, write us the e-mail: and send personal ID KEY:
[random characters]
[Copy to clipboard|BUTTON]
You have to pay for decryption in Bitcoins. The price depends on how you write to us. After payment we will send you the decryption tool that will decrypt all your files.'

The '' Ransomware also delivers its ransom note in a text file named 'READ ME.txt,' which is dropped on various directories in the infected computer.

Dealing with the '' Ransomware

Computer users should not follow the instructions in the '' Ransomware ransom note. Instead, computer users should use backup copies of their files to restore any data compromised by the attack and a security program to remove the '' Ransomware infection itself or prevent it from being installed in the first place. Unfortunately, there's no way to restore the files compromised by the '' Ransomware currently unless you can reconstruct them from a backup copy.


Most Viewed