PewPew Ransomware

The PewPew Ransomware is designed to use a combination of AES-256 and RSA-2048 encryption algorithms to 'lock' the files of every computer system it compromises. As a consequence, users can no longer access their personal or business-related documents, spreadsheets, databases, videos, pictures, or audio files. The hackers then request the payment of a ransom in exchange for the decryption tool or key that could potentially restore the encrypted files.

When the PewPew Ransomware encrypts a file, it modifies the original filename heavily by appending a string representing the unique ID of the victim, an email address under the control of the hackers - 'pewpew@TuTa.io,' and finally '.abkir' as a new extension. The ransom note with instructions to the affected users is dropped both as a text file named 'info-decrypt.txt' and as an HTML executable named 'info-decrypt.hta.'

While for the most part, the text found in both files carries similar instructions, there are also some significant differences. The PewPew Ransowmare's victims are told that to get the decryption tool, they have to make a payment in Bitcoin to the cryptocurrency wallet address of the hackers. The specif amount is not mentioned, but both ransom notes state that it may depend on the speed with which affected users establish contact with the criminals. The primary email address provided for that purpose is 'pewpew@TuTa.io.' If there is no response within 12 hours, they should use the secondary email address at 'pewpew@Protonmail.com.' The .hta file states that victims can attach up to 5 files that have a combined size of less than 4MB to be decrypted for free. The instructions in the text files, however, allow for only a single file to be sent.

The text found in the 'info-decrypt.txt' files is:

'All your files have been encrypted !

( All your files have been encrypted with AES256 + RSA2048 Algorithm due to a security problem with your PC )

- If you want to restore them, write us to the email: pewpew@TuTa.io

- Write this ID in the title of your message : -

- If you do not receive a response within 12 hours, send a message to this email: pewpew@Protonmail.Com

( You have to pay for decryption in Bitcoins )

- The price depends on how fast you write to us.

- After payment we will send you the decryption tool that will decrypt all your files.

( Free decryption as guarantee )

- Before paying you can send us up to 1 file for free decryption.

- The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 

( How to obtain Bitcoins )

- The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

- hxxps://localbitcoins.com/buy_bitcoins

- Also you can find other places to buy Bitcoins and beginners guide here:

- hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

- [ pewpew TEAM ]'

The ransom note from the 'info-decrypt.hta' file states:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the email: pewpew@TuTa.io

Write this ID in the title of your message : -

In case of no answer in 12 hours write us to this email: pewpew@Protonmail.Com

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

hxxps://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:

hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

As the ransom note explains, the ransomware encrypts files using AES-256 and RSA-2048 encryption algorithms. The only way to undo the encryption would indeed be with a decryption tool. Only the hackers have access to this decryption tool. They say that they will give it to the victim if they receive payment in bitcoin. Victims should contact the developers at their e-mail – pewpew@tuta.io – to learn more. The size of the ransom can depend on how quickly the victim gets in touch. The earlier they establish contact, the smaller the ransom will be.

While it’s true that only the hackers have access to the decryption key, it’s also true that victims are unlikely to get the tool even if they send the payment. It is therefore recommended that you never pay the ransom to the cybercriminals for any kind of ransomware. You can get your data back by using an external backup. This is one reason it is worth taking the time to create regular backups of your data. Make sure that you remove the ransomware from your computer before attempting data recovery to prevent further infection. Unfortunately, removing the ransomware isn’t enough to decrypt files that have already been infected.

As a rule, ransomware is created to prevent users from accessing files to extort a ransom payment out of them. There are two key differences between ransomware infections – the cost of the decryption tool and the cryptographic algorithm used on files. More often than not, it is impossible to decrypt the data without interference from hackers. It may be possible in cases where the ransomware is undeveloped and has bugs, but don’t count on this. It is recommended people keep regular backups of their data given that backups are the only safe and effective way to restore lost files during a ransomware attack.

How Does Ransomware Infect computers?

Cybercriminals have several different ways to distribute viruses, including ransomware. The most common infection methods are spam e-mails, trojan virus infections, untrustworthy third-party download sites, software “cracking” tools, and unofficial software updates.

A malspam campaign is when an attacker sends hundreds, if not thousands, of emails. The emails contain a malicious link or a file attachment. These emails are written to look as if they come from a legitimate source, such as a delivery company. Readers are tricked into interacting with the link or file attachment, infecting their computer in the process. The attachments are typically a ZIP, RAR, executable file, or Microsoft Office document/spreadsheet. Always make sure you know who sent you an email before you open a link or attachment.

Trojan viruses, much like the trojan horse of old, are designed to house more complex viruses. These are small and simple viruses that can easily slip past the defenses of an antivirus program. Once a trojan virus gets on your computer, it “opens up” and installs the other virus as part of a chain infection. Security programs would typically catch the main virus, but trojans effectively make them invisible.

Illegal activation tools for pirated software are another common infection vector. These programs may activate software you download on torrent sites, but it’s just as likely they’ll infect your computer in the process. Some of them will just infect the computer. Hackers also disguise their viruses as popular software to trick people into downloading it when looking for illegitimate software. The risk isn’t worth it.

Unofficial download sites are another common infection point for viruses like PewPew Ransomware. Avoid using third-party download sites as these are breeding grounds for malware. Free file hosting sites, freeware download sites, torrents, and third-party installers could contain viruses. This isn’t to say that all freeware is bad, just that you should download through official channels and websites as much as possible.