Pyphyfe Ransomware

Infosec researchers have identified a new ransomware threat lurking in the wild. Tracked as the Pyphyfe Ransomware, the threat aims to infiltrate victims' computers, engage a strong encryption process, and render the data stored on the machine both inaccessible and unusable. Like most ransomware, the attackers then try to extort the affected users for money in exchange for providing them with the decryption key required for the restoration of the data.

As part of its harmful behavior, the threat also marks each locked file. It does so by appending '.pyphyfe' as a new extension to the original names of the affected files. When all targeted file types have been encrypted, the malware creates a text file named 'HOW TO RESTORE YOUR FILES.TXT.' The file carries a ransom note with instructions for the victims. It should be noted that the Pyphyfe Ransomware is classified as a variant from the Snatch Ransomware family.

Ransom Note's Details

The ransom note wastes no time and instructs Pyphyfe's victims to establish contact with the attackers immediately. The message mentions two email addresses that can be used as communication channels - 'JohnDealinger@seznam.cz' and 'JohnasassistantIT@seznam.cz.' The note doesn't reveal the sum that the hackers want to be paid.

Apparently, victims also are allowed to send up to 3 files to be decrypted for free. However, the chosen files must meet two requirements. The total unarchived file size must be less than 1MB and that the files must not contain any important information. The note also warns users not to rename the encrypted files or turn off any NAS (Network-Attached Storage) devices as that could lead to permanent damage.

The full text of the note is:

'Hello!

All your files are encrypted!
Email me if you want to get your files back - I will do it very quickly!
Contact me by email:

JohnDealinger@seznam.cz or JohnasassistantIT@seznam.cz

The subject line must contain an encryption extension or the name of your company!
Do not rename encrypted files, you may lose them forever.
You may be a victim of fraud. Free decryption as a guarantee.
Send us up to 3 files for free decryption.
The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.)
!!! Do not turn off or restart the NAS equipment. This will lead to data loss !!!

To contact us, we recommend that you create an email address at protonmail.com or tutanota.com
Because gmail and other public email programs can block our messages!

If you do not receive a response from us for a long time, check your spam folder.'