ORCA Ransomware

ORCA Ransomware Description

The ORCA Ransomware is a malware threat equipped with potent encryption capabilities. Once it has infiltrated the targeted computers, the threat will lock the various files stored there - documents, PDFs, archives, databases, images, photos, etc. Restoration of the affected files without the proper decryption keys is typically impossible. When cybersecurity researchers analyzed the ORCA Ransomware, they discovered that it is a variant of the ZEPPELIN malware family.

Victims of the threat will notice that their files have had their original names modified. Indeed, the threat adds '.ORCA' followed by an ID string generated specifically for the victim as new file extensions. Affected users or organizations also will notice that an unfamiliar file named 'HOW_TO_RECOVER_DATA.hta' has appeared on the desktop of the breached devices. The purpose of the file is to deliver a ransom note with instructions from the attackers.

According to the message, besides locking the victim's files, the threat actors also have managed to exfiltrate important confidential data that is now stored on their private server. This is a common tactic employed in double-extortion operations. Victims are given 72 hours to pay a ransom in Bitcoin. After that period is over, the hackers threaten to delete the decryption key needed for the restoration of the locked files. In addition, if they do not receive the asked payment, the hackers also will publish the collected data to the public. The ransom note mentions two email addresses - 'GoldenSunMola@aol.com' and 'GoldenSunMola@cyberfear.com,' as potential communication channels

The full text of ORCA Ransomware's note is:

'YOUR FILES HAVE BEEN ENCRYPTED
Your ID to decrypt:
Contact us: GoldenSunMola@aol.com | GoldenSunMola@cyberfear.com

Unfortunately for you, due to a serious vulnerability in IT security, you are vulnerable to attacks!
To decrypt files, you need to get a private key.
The only copy of the secret key that can be used to decrypt files is on a private server.
The server will destroy the key within 72h after the encryption is completed.
To save the key for a longer period, you can contact us and provide your ID!

In addition, we collect strictly confidential/personal data.
This data is also stored on a private server.
Your data will be deleted only after payment!
If you decide not to pay, we will publish your data to everyone or resellers.
So you can expect your data to become publicly available in the near future!

It's just a business and we only care about making a profit!
The only way to get your files back is to contact us for further instructions!
To establish a trust relationship, you can send 1 file for test decryption (no more than 5 MB)

Do not waste your time searching for other decryption methods - THERE ARE NONE, you will pay more for your time!
Every day the price of decryption increases!
Do not rename encrypted files.
Do not use third-party programs to decrypt files - they can only do harm!
After payment, you get a decoder (.exe), you only need to run it, and it will do everything by itself.
I only accept Bitcoins! You can learn how to buy them on the Internet.
'

Related Posts