Origami Ransomware

Ransomware threats often target users at random. The goal is to use an encryption algorithm to lock the files present on the victim's computer. After completing the encryption process, the users will be asked to pay cash to receive a decryptor that is meant to reverse the damage done to their data. Many authors of ransomware threats fail to hold their end of the deal, and even users who pay the ransom fee receive the decryption tool they need to recover their files rarely. This is why it is advisable to avoid cooperating with cybercriminals.

Propagation and Encryption

The Origami Ransomware is likely targeting a wide array of filetypes such as .jpg, .jpeg, .svg, .png, .gif, .doc, .docx, .txt, .pdf, .mp3, .wav, .mid, .midi, .mp4, .mov, .ppt, .pptx, .rar, .zip and many others. This ensures that almost all the data on the target's PC will be locked securely. The Origami Ransomware uses a secure encryption algorithm to lock the files of the user. Once a file is encrypted, it would have a changed filename as the Origami Ransomware adds a '.[<VICTIM ID>].[origami7@firemail.cc].origami' extension. This means that a file that you had named 'ice-peak.mov,' will be renamed to 'ice-peak.mov.[<VICTIM ID>].[origami7@firemail.cc].origami.' There is a unique victim ID created for every affected user, as this allows the attackers to differentiate between the compromised hosts. Authors of ransomware threats use various propagation methods to distribute file-lockers like the Origami Ransomware. The most popular ones include phishing emails, malvertising, fake social media posts, torrent trackers, fraudulent application downloads and updates, etc.

The Ransom Note

Next, the Origami Ransomware would drop a ransom note on the desktop of the victim. The file containing the ransom message of the conmen is called 'readme-warning.txt.' The note is written in a Q&A format. In the ransom message, the attackers offer to decrypt two files for free, as a proof that they have a working decryptor available. The two files should not exceed 1MB in size. The creators of the Origami Ransomware ask to be contacted via email – ‘origami7@firemail.cc' and ‘prosoft@tutanota.com.' The attackers demand that the ransom fee should be in the shape of Bitcoin.

It is recommended to remove the Origami Ransomware from your PC with the assistance of a reputable, modern anti-malware suite.