Threat Database Ransomware OFFWHITE Ransomware

OFFWHITE Ransomware

By GoldSparrow in Ransomware

Ransomware threats are a malware type that has been growing in popularity in the world of cybercrime rapidly. Most ransomware threats operate in an identical manner – the threat would compromise your PC, encrypt your data, and then demand a payment in exchange for a decryption key. However, some authors of ransomware threats take it a tad further. The OFFWHITE Ransomware is a data-locking Trojan whose authors are not only selling a decryption key to the victims but also threatening to leak their personal information online if they do no pay the ransom fee demanded. This new strategy can prove to be very successful if the attackers are targeting businesses and government institutions that would not want their classified files leaked online under any circumstances.

Propagation and Encryption

The OFFWHITE Ransomware appears to be propagated via bogus emails. To attract the attention of the targets and trick them into opening the corrupted email, the attackers are likely to utilize bogus documents such as CVs, banking statements, invoices, etc. If the targets fall for the trickery of the attackers, the OFFWHITE Ransomware would compromise their system and begin the encryption process. The OFFWHITE Ransomware is designed to encrypt a wide variety of filetypes such as images, documents, audio files, videos, presentations, archives, spreadsheets, databases, etc. Once a file undergoes the encryption process of the OFFWHITE Ransomware, its name will be changed. This is due to the fact that the OFFWHITE Ransomware appends an ‘.OFFWHITE’ extension to the names of the newly locked files. This means that a file, which you had named ‘marble-skin.pdf,’ will be renamed to ‘marble-skin.pdf.OFFWHITE’ after the attack has been completed.

The Ransom Note

The OFFWHITE Ransomware would make sure to drop a ransom message on the infiltrated system. The message of the attackers is contained in a file called ‘OFFWHITE-MANUAL.txt.’ In the attackers’ ransom message, it is stated that unless the victims pay a significant ransom fee, their data will be uploaded to a website called According to malware researchers, the authors of the OFFWHITE Ransomware have already released the data of two companies – one located in Asia, and one located in Brazil. It is clear that the creators of the OFFWHITE Ransomware are fully prepared to go through with their threats and release companies’ sensitive data online if their demands are not met. There are three emails addresses provided as means of communication with the perpetrators of the attack

  • ‘’
  • ‘’
  • ‘’

The OFFWHITE Ransomware ransom note reads like the following:

Two things have happened to your company.
All of your files have been encrypted with military grade algorithms.
The only way to retrieve your data is with our software.
Restoration of your data requires a private key which only we possess.
Information that we deemed valuable or sensitive was downloaded from your network to a secure location.
We can provide proof that your files have been extracted.
If you do not contact us we will start leaking the data periodically in parts.
To confirm that our decryption software works email to us 2 files from random computers.
You will receive further instructions after you send us the test files.
We will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.
If we do not come to an agreement your data will be leaked on this website.

Website: hxxp://
TOR link: hxxp://hxt254aygrsziejn.onion

Contact us via email:

As you can see, the note explains that OFFWHITE encrypts files using military-grade algorithms and claims the only way to decrypt data is using software and a decryption key purchased from the developers. Victims have to contact the attackers via email and can send them two files for decryption as a sign of good faith that the tools work. The ransom note warns that the sensitive data has also been stolen and will be leaked to the dark web if the ransom isn’t paid.

Unfortunately, there is truth to the claim that only the software developers can undo the encryption. Even so, you should never pay them or trust them. It is likely that they won’t provide the key or decryption tools you need after receiving the payment. You can prevent further damage by removing the ransomware, but the only way to get the data back is to restore it from a backup.

How Is Best OFFWHITE Distributed?

Ransomware like this has several ways to get on systems. The most common infection vector is the tried and true methods of email spam, gambling websites, porn websites, and P2P networks. It would help if you were vigilant when browsing the internet to avoid ransomware. Be sure to clear emails out of your spam folder and double-check the sender and content of an email before interacting with it. Grammatical errors are a common sign the email comes from an untrustworthy source.

It’s also worth avoiding third-party download sites. These websites lack the security of first-party sites and are breeding grounds for viruses. You go to the site to download software or update and end up with a virus instead. It helps to have robust antivirus and anti-malware protection on your computer too. These will be your first – and best – lines of defense against infection.

Regardless of the demands of cyber crooks, it is best not to give in and pay up. The authors of the OFFWHITE Ransomware may not provide users with a decryption key even if they get paid. They also may opt to leak the victims’ data online regardless of whether they get paid or not. This is why you should ensure your system’s safety by investing in a legitimate ant-virus software suite.


Most Viewed