OFF Ransomware

Users have a new ransomware threat to worry about. Named the OFF Ransomware, it is classified as a variant belonging to the Dharma malware family. Although the OFF Ransomware doesn't show any major deviation from the typical Dharma behavior, OFF Ransomware is a potent threat that can devastate the computer systems it manages to infiltrate. By running an uncrackable encryption process, the malware locks the files stored on the breached devices. PDFs, docs, archives, databases, images, photos, audio, and video files will all be rendered inaccessible and unusable.

OFF Ransomware follows the typical Dharma naming pattern to mark each encrypted file. The threat appends to the original names a unique ID, an email address, and a new file extension. The email is 'tiocapvbu@aol.com' while the new file extension is '.OFF.' Upon completing its encryption routine, the threat will deliver two ransom notes to the infected devices.

OFF Ransomware's Demands

An extremely brief ransom message will be placed inside a text file named 'FILES ENCRYPTED.txt.' It simply instructs affected users to contact the 'tiocapvbu@aol.com' or '999@me2bgruzs6itptly.onion' emails. The actual ransom note of the threat will be displayed in a pop-up window. Although it too lacks some vital details, it clarifies that the exact amount of the ransom demanded by the OFF Ransomware hackers will depend on the time it takes victims to establish contact. The note also specifies that the transaction must be made using the Bitcoin cryptocurrency.

As part of their message, victims can attach a single file that is less than 1MB in size. The file is supposedly going to be decrypted by the hackers and returned unlocked. The ransom note concludes with various warnings.

The message found inside the text file is:

'all your data has been locked us
You want to return?
Write email tiocapvbu@aol.com or 999@me2bgruzs6itptly.onion.'

The pop-up window contains the following text:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail tiocapvbu@aol.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:999@me2bgruzs6itptly.onion
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'