Planetary Ransomware
The Planetary Ransomware Trojan is a version of the HC7 Ransomware that came out on April 5th, 2019. The Planetary Ransomware features small modifications to the encryption model, and it communicates with a new set of 'Command and Control' servers. The changes implemented in the Planetary Ransomware may allow it to bypass some cybersecurity checks, but improper Internet usage allows the malware to flourish. PC users should not accept files from spam emails and open self-extracting password-protected archives from unverified senders.
The Planetary Ransomware may run on compromised systems as a fake instance of Java, Adobe Reader and Windows Update. The Planetary Ransomware Trojan is known to use unique encryption keys and erase the Shadow Volume snapshots made by Windows. The Planetary Ransomware is associated with several file markers that AV vendors use to name versions of the program. We have seen the Planetary Ransomware add extensions like '.Mercury,' '.pluto,' '.mecury,' '.Neptune,' '.yum' and '.mira.' For example, 'Genetic robustness.pptx' may be transformed into 'Genetic robustness.pptx.pluto' and several other iterations. Analysis of user-submitted samples shows that the Planetary Ransomware may drop one of two ransom notes. Examples are listed below:
- Version 1:
- Version 2:
'!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!!
Please follow few steps below:
1.Send us your ID.
2.We can decrypt 1 file what would you make sure that we have decription tool!
3.Then you'll get payment instruction and after payment you will get your decryption tool!
Do not try to rename files!!! Only we can decrypt all your data!
Contact us:
getmydata@india.com
mydataback@aol.com
Your ID: [redacted 64 uppercase hex]:[redacted 64 uppercase hex with dashes]
[redacted 64 uppercase hex with dashes]:[redacted 64 uppercase hex with dashes]'
'ALL FILES ARE ENCRYPTED.
TO RESTORE, YOU MUST SEND $700 EQUIVALENT FOR ONE COMPUTER
OR $5,000 FOR ALL NETWORK
PAYMENTS ACCEPTED VIA BITCOIN, MONERO AND ETHEREUM
BTC ADDRESS: [bitcoin_address]
MONERO (XMR) ADDRESS: [monero_address]
CONTACT US WHEN ETHEREUM PAYMENT INFORMATION
BEFORE PAYMENT SENT EMAIL m4rk0v@tutanota.de
ALONG WITH YOUR IDENTITY: [base64_encoded_computer_name]
INCLUDE SAMPLE ENCRYPTED FILE FOR PROOF OF DECRYPT
NOT TO SHUT OFF YOUR COMPUTER, UNLESS IT WILL BREAK'
There is no way to prove if the ransom notes are indicative of two separate teams using the same version of the Planetary Ransomware. However, infected machines appear to include different ransom notes based on what entity is operating them. Home PCs compromised by the Planetary Ransomware seem to receive "ransom note ver 1."
On the other hand, the machines employed in business environments feature "ransom note ver 2." Regular users and companies affected by the Planetary Ransomware may want to try the free "Planetary/Mira Ransomware Decryptor" provided by AV vendors. Do not pay money to the Planetary Ransomware developers and attempt to recover your data using the aforementioned instrument. It is best to clean compromised machines using an up-to-date computer security utility.
