Plague17 Ransomware
Recently, malware researchers have uncovered a brand-new ransomware threat called the Plague17 Ransomware. Upon further inspection, it would appear that this data-locking Trojan does not belong to any of the popular ransomware families.
Cybersecurity experts are not yet able to determine with any certainty what are the infection vectors used in the propagation of this file-encrypting Trojan. It is speculated widely that the creators of the Plague17 Ransomware may have used some of the most favored methods of propagating ransomware threats such as mass spam email campaigns that carry infected attachments, fraudulent software updates, and fake pirated copies of popular applications. If the Plague17 Ransomware manages to compromise your system, it will begin the attack by performing a swift scan, which is meant to locate all the files that this data-locking Trojan is meant to encrypt in the next phase of the attack. When this is done, the Plague17 Ransomware will proceed with its encryption process. The Plague17 Ransomware renames all the locked files following this pattern - '
Next, the Plague17 Ransomware drops its ransom note, which goes by the name 'Plague17.txt.' The note is only available in Russian. In the note, the attackers warn the victim not to rename any of the locked files and not to attempt to use a third-party decryption tool because they claim this will cause the user to lose all their data permanently. The authors of the Plague17 Ransomware provide the victim with an email address where they demand to be contacted – 'plague17@riseup.net.' They also state that the user has to include all the text from the ransom note in their email or type the number' 68286653' alternatively.
The Plague Ransomware may also spread via a payload dropper infection vector, one that initiates the malicious script for the ransomware. The threat may also distribute itself through payload files on file-sharing services and/or social media. In some cases, this kind of threat may also be seen spreading via freeware through software bundles.
The lock screen and ransom notes of the Plague Ransomware contain the following message in Russian meant to scare users into paying the ransom demands:
'Внимание!
Если Вы читаете это сообщение, значит Ваш компьютер был атакован опаснейшим вирусом.
Вся Ваша информация (документы, базы данных, бэкапы и другие файлы) на этом компьютере была зашифрована.
Все зашифрованые файлы имеют расширение .PLAGUE17
Ни в коем случае не изменяйте файлы! И не используйте чужие дешифраторы, Вы можете потерять Ваши файлы навсегда.Напишите нам письмо на адрес plague17@riseup.net , чтобы узнать как получить дешифратор.
Если мы Вам не ответили в течении 3 часов – повторите пересылку письма.
В письмо вставьте текст из файла 'PLAGUE17.txt' или напишите номер – 68286653
В первом письме не прикрепляйте файлы для дешифровки. Все инструкции вы получите в ответном письме.'
The note roughly translates as the following:
'Attention!
If you read this message, it means that your computer has been attacked by a dangerous virus.
All your information (documents, databases, backups, and other files) on this computer has been encrypted.All encrypted files have the extension.PLAGUE17
Never modify the files! And do not use other people's decoders, you can lose your files forever.Email us at plague17@riseup.net to find out how to get the decoder.
If we have not answered you within 3 hours, please resend the letter.
Insert the text from the file 'PLAGUE17.txt' into the letter or write the number - 68286653
In the first letter, do not attach files for decryption. You will receive all instructions in a reply letter.'
Users are advised to avoid paying any kind of ransom, as there is no guarantee any decryption will take place.
It is possible the Plague Ransomware may create Windows Registry entries to achieve persistence on infected systems, and it may also launch or stop processes running in the background. All encrypted files are appended with the .PLAGUE17 extension alongside a randomly generated name to make the original file indistinguishable from before the infection. The affected files span a range of audio, video, documents and image files, as well as data backups and banking data:
.$$$, .[0-9]+, .~ini, .~klt, .1cd, .1cd2, .1cl, .1ey, .1txt, .2, .2cd, .6t[0-9], .6tr, .7z, .7zip, .8t0, .8tr, .9tr, .a2u, .a3d, .aad, .abd, .accdb, .adb, .adi, .afd, .ai, .als, .amp, .amr, .ans, .apc, .apk, .apx, .arc, .arch, .arh, .arj, .atc, .atg, .ava, .avhd, .avhdx, .awr, .axx, .bac[0-9], .backup, .bak, .bck, .bco, .bcp, .bde, .bdf, .bdf, .bf, .bf3, .bg, .bip, .bkc, .bkf, .bkp, .bks, .blb, .blf, .blk, .bln, .bls, .bls, .bmp, .box, .bpl, .bpn, .btr, .burn, .bz, .bz2, .car, .cbf, .cbm, .cbu, .cdb, .cdr, .cdx, .cer, .cf, .cfl, .cfu, .cia, .cmt, .cnc, .cpr, .cr2, .cripted, .criptfiles, .crypt, .csv, .ctl, .ctlg, .cuc, .cui, .cuix, .custom, .dafile, .data, .db, .db[0-9], .dbf, .dbk, .dbs, .dbt, .dbx, .dcf, .dcl, .dcm, .dct, .dcu, .dd, .ddf, .ddt, .dfb, .dff, .dfp, .dgdat, .dic, .diff, .dis, .djvu, .dmp, .doc, .docx, .dot, .dpr, .dproj, .drs, .dsus, .dt, .dtz, .dump, .dwg, .dz, .ect, .edb, .efd, .efm, .eif, .elf, .eml, .enc, .enz, .epf, .eps, .erf, .ert, .esbak, .esl, .eso, .etw, .export, .fbf, .fbk, .fdb, .fdb[0-9], .fi, .fil, .fkc, .fld, .flx, .fob, .fpf, .fpt, .frf, .frm, .frp, .frw, .frx, .fxp, .gbk, .gbp, .gd, .gdb, .gdoc, .gfd, .gfo, .gfr, .gho, .ghost, .ghs, .gif, .gopaymeb, .gpd, .granit, .grd, .gsheet, .gsn, .gz, .gzip, .hbi, .hbk, .hdf, .his, .hive, .htm, .html, .ib, .idf, .idx, .ifm, .ifo, .ifs, .ima, .img, .imgc, .imh, .imm, .indd, .info, .ipa, .ips, .irsf, .irsi, .irss, .iso, .isz, .iv2i, .jbc, .jpeg, .jpg, .jrs, .kdc, .keg, .key, .klt, .kmn, .kpm, .kwm, .laccdb, .last, .lay6, .lbl, .ldb, .ldf, .ldif, .ldw, .lg, .lgd, .lgf, .lgp, .lic, .lis, .lky, .lnk, .local, .lock, .lrv, .lsp, .lst, .lvd, .lzh, .m2v, .mac, .mak, .map, .max, .mb, .mbox, .mcx, .md, .md5, .mdb, .mde, .mdf, .mdmp, .mdt, .mdw, .mdx, .meb, .mft, .mig, .mkd, .mnc, .mnr, .mns, .mod, .mov, .msf, .mtl, .mxl, .mxlz, .mxlz, .myd, .myi, .n[0-9], .nag, .nbi, .nbk, .nbr, .nc, .nd[0-9], .ndf, .ndt, .nef, .new, .nif, .nrg, .nsf, .ntx, .nvram, .obf, .ods, .odt, .ogd, .ok, .okk, .old, .one, .onetoc2, .ora, .ord, .ost, .out, .ovf, .oxps, .p12, .packed, .pak, .pas, .paycrypt@gmail_com, .pbd, .pbf, .pck, .pdf, .pdt, .pf, .pfi, .pfl, .pfm, .pfx, .pgd, .pgp, .php, .pka, .pkg, .pkr, .plan, .plb, .pln, .plo, .pm, .pml, .png, .pnl, .ppd, .ppsx, .ppt, .pptx, .prb, .prg, .prk, .profile, .prv, .ps1, .psd, .psl, .pst, .pwd, .pwm, .px, .py, .q1c, .qib, .qrp, .qst, .rar, .rbf, .rcf, .rdf, .rec, .rep, .repx, .req, .res, .rez, .rgt, .rk6, .rn, .rpb, .rpt, .rst, .rsu, .rtf, .rvs, .sac, .sacx, .save, .saved, .sbin, .sbk, .sbp, .scn, .sct, .scx, .sdb, .sdf, .sdl, .sel, .sem, .sfpe, .sfpz, .sgn, .shd, .shdb, .shdl, .shs, .skr, .sln, .smf, .smfx, .sna, .snp, .sob, .sobx, .spr, .sql, .sqlite, .sqm, .sqx, .srx, .ssd, .ssf, .ssp, .sst, .st[0-9], .stm, .stop, .str, .sv2i, .svc, .svp, .tab, .tar, .tbb, .tbc, .tbh, .tbi, .tbk, .tbl, .tbn, .tdb, .tgz, .thm, .tib, .tid, .tmf, .tmp, .tmp0, .tnx, .tpl, .tps, .trc, .trec, .trn, .tst, .twd, .txt, .ua_, .udb, .unf, .upd, .utf, .v2i, .v8i, .vault, .vbe, .vbk, .vbm, .vbx, .vct, .vcx, .vdb, .vdi, .ver, .vhd, .vhdx, .vib, .viprof, .vlx, .vmcx, .vmdk, .vmem, .vmp, .vmpl, .vmrs, .vmsd, .vmsn, .vmss, .vmx, .vmxf, .vpc, .vrd, .vrfs, .vsd, .vsv, .vswp, .vvr, .vvv, .wallet, .war, .wav, .wbcat, .wbverify, .wid, .wim, .wnw, .wrk, .wsb, .xch, .xg0, .xls, .xlsb, .xlsm, .xlsx, .xml, .xsc, .xsd, .xstk, .xtbl, .xxx, .xz, .yg0, .ytbl, .zip, .zrb, .zsp, .zup .БРОНЬ
Another dangerous ability possessed by this ransomware threat is the ability to erase all Shadow Volume Copies from the Windows OS using the following command:
→vssadmin.exe delete shadows /all /Quiet
We would strongly recommend you to resist any urge to contact the cyber criminals responsible for the Plague17 Ransomware. Instead, you should obtain a secure anti-malware tool and use it to rid your system of Plague17 Ransomware.
