NORD Ransomware
The NORD Ransomware is a potent crypto locker threat. Although it is not wholly unique, infosec researchers have determined that the NORD Ransomware is a WannaScream variant that, in no way, diminished its destructive capabilities. Indeed, victims of the threat will be locked out of their own computers suddenly, and they will not be capable of accessing or using any of their files.
As part of its encryption process, the NORD Ransomware will change the names of the files it affects drastically. The threat will append a unique ID string to the original name of the file, followed by an email address that is controlled by the hackers, and finally '.NORD' as a new file extension. The email address is 'decryptfilekhoda@protonmail.com.' Two different ransom notes will be dropped onto the compromised systems. One will be displayed in a pop-up window (info.hta), while the other will be inside text files (ReadMe.txt) created in every folder containing encrypted data.
The instructions found in the text files are extremely brief. They simply tell the victims to contact the hackers via the provided communication channels. While the WannaScream template for the ransom note includes a Telegram account and a secondary email address, the criminals responsible for the NORD Ransomware have not bothered including them. The only way to establish communication available to the victims of the threat is to send an email to the aforementioned 'decryptfilekhoda@protonmail.com.' The ransom note from the pop-up window provides a bit more details. Although it doesn't mention the exact sum demanded by the hackers, it states that the potential transaction must be made using bitcoins. It also allows affected users to attach up to 5 files that do not exceed a total size of 4MB to the email message to be decrypted for free.
The full text of the 'ReadMe.txt' files is:
'[+] All Your Files Have Been Encrypted [+]
[-] Do You Really Want To Restore Your Files?
[+] Write Us To The Email: decryptfilekhoda@protonmail.com
[+] Write Us To The ID-Telegram :
[+] If you did not get any response until 24 hours later,Write to this Email: decryptfilekhoda@protonmail.com
[-] Write Your Unique-ID In The Title Of Your Message.
[+] Unique-ID :'
The 'info.hta' ransom note's full set of instructions includes:
'All your files have been encrypted by Wanna Scream!
due to a security problem with your PC. If you want to restore them, write us to the email decryptfilekhoda@protonmail.com
Write this ID in the title of your message:-
In case of no answer in 24 hours write us to this e-mail:decryptfilekhoda@protonmail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
