PTP Ransomware

The PTP Ransomware is an encryption ransomware Trojan. The PTP Ransomware is one of the many variants of HiddenTear, an open source encryption ransomware platform that has been around since August 2015. The PTP Ransomware variant was first observed on August 8, 2018. It is likely that the PTP Ransomware is still in development since there are aspects of the PTP Ransomware that seem unfinished. The PTP Ransomware's code makes it likely that criminals located in South Korea developed the PTP Ransomware.

The Objective of the PTP Ransomware is to Extort Its Victims

The PTP Ransomware carries out a typical version of the encryption ransomware tactic, taking over the victims' computers and their files hostage. To do this, the PTP Ransomware uses the AES 256 encryption to make the victim's files inaccessible and then delivers a ransom note to ask the victim to pay a large amount of money to recover access to the compromised files. The PTP Ransomware targets the user-generated files in its attack, which may include a wide variety of media files, documents, databases, and numerous other file types. The files typically compromised in attacks like the PTP Ransomware include:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The PTP Ransomware marks the files encrypted by its attack by adding the file extension '.PTPRansomware' to the end of the file's name. Once the PTP Ransomware has finished encrypting the victim's files, the PTP Ransomware will deliver a ransom note to the victim's computer. This ransom note is contained in a text file named 'READ_IT.TXT,' which is dropped on the infected computer's desktop and various other locations on the infected PC. The PTP Ransomware ransom note contains the following message written in Korean and English:

'Made by KimApple,
You have been infected with the PTP Ransomware
The file was sucked into construction
the PTP Ransomware will come back
work hard
The computer has become a fool
Discord : KimApple#1159'

It seems that the creators of the English version of the PTP Ransomware ransom note translated it from Korean to English using the Google Translate or similar tool because the PTP Ransomware ransom note displays poor grammar and syntax.

Protecting Your Data from Threats Like the PTP Ransomware

The best protection from threats like the PTP Ransomware is to have file backups. Having file backups allows computer users to restore their files after an attack without having to pay a ransom or contact the criminals responsible for the PTP Ransomware attack. Apart from file backups, PC security researchers strongly advise computer users to have a reliable security program that is fully up to date installed, which can prevent threats like the PTP Ransomware from being installed or remove this threat if it has already been installed. However, the PTP Ransomware encrypts the files in a way that they will not be recoverable without the decryption key.