Omerta Ransomware
The Omerta Ransomware is an encryption ransomware Trojan. The Omerta Ransomware, like other encryption ransomware Trojans, is designed to use a strong encryption algorithm to lock access to the victim's files. The victim is then asked to purchase a decryption program to regain access to the affected files. The Omerta Ransomware seems to be delivered mainly through spam email attachments, often using social engineering techniques to trick computer users into opening an attached file. The Omerta Ransomware will be installed onto the victim's computer when the attached file is opened, and it will initiate its attack, taking the victim's files hostage.
How the Omerta Ransomware Carries Out Its Attack
The Omerta Ransomware uses the AES encryption to make the victim's files inaccessible. The Omerta Ransomware targets the user-generated files, which may include a wide variety of media, documents, databases, and other file types. The Omerta Ransomware seems to be derived from HiddenTear, an open source ransomware platform that has been active since 2015. Once the Omerta Ransomware adds a file extension to the targeted files, they can be easily identified because the string '[XAVAX@PM.ME].omerta' will be added to each affected file's name, changing its extension. The Omerta Ransomware targets specific file types in its attack, which includes:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
Once a file has been encrypted, the original version of the file, as well as the Shadow Volume Copies of the files will be deleted, to prevent the victims from accessing their files by using alternate methods.
The Omerta Ransomware's Ransom Note
The Omerta Ransomware enciphers the files to demand a ransom payment in exchange for the decryption key (needed to restore the affected files). The Omerta Ransomware delivers its ransom note in a text file that is named 'READ THIS IF YOU WANT TO GET ALL YOUR FILES BACK.TXT.' The Omerta Ransomware ransom note is dropped on the infected computer's Desktop and contains the following message:
'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS
Your files are now encrypted!
-----BEGIN PERSONAL IDENTIFIER-----
[random characters]
-----END PERSONAL IDENTIFIER-----
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in BITCOINS. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: XAVAX@PM.ME'
Threats like the Omerta Ransomware will demand a ransom amount ranging between 300 and 600 USD, to be paid using Bitcoin. Malware researchers think that computer users should refrain from paying the Omerta Ransomware ransom since the criminals will often ignore the payment and it may expose the victim to further attacks. Also, paying ransoms like this one allows the criminals to continue developing and distributing threats like the Omerta Ransomware. Instead, computer users should prevent attacks like the Omerta Ransomware by taking some precautionary actions such as having file backups in a safe location and using a security program that is fully up-to-date.
