Threat Database Ransomware RansomWarrior 1.0 Ransomware

RansomWarrior 1.0 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 7
First Seen: August 12, 2018
Last Seen: February 5, 2019
OS(es) Affected: Windows

The RansomWarrior 1.0 Ransomware is an encryption ransomware Trojan first observed on August 8, 2018. The RansomWarrior 1.0 Ransomware is most likely being developed by a group of hackers located in India and carries out a typical variant of an encryption ransomware Trojan attack. The RansomWarrior 1.0 Ransomware takes the victims' files hostage and then demands a ransom payment from the victim to retrieve access to the compromised files.

The Warrior against Your Files

The RansomWarrior 1.0 uses the AES 256 encryption to make the victim's files inaccessible. The RansomWarrior 1.0 Ransomware marks the files encrypted by the attack by adding the file extension '.THBEC' to each file's name. The RansomWarrior 1.0 Ransomware is delivered to the victim's computer using spam email attachments. Once installed, the RansomWarrior 1.0 Ransomware encrypts the user-generated files, which may include files with the following file extensions:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The RansomWarrior 1.0 Ransomware delivers a lengthy ransom note in the form of a program window containing the following message:

'Oops!!! Your Files Has Been Encrypted By RansomWarrior 1.0

Message for you from RansomWarrior 1.0 Hello, we are a group of dedicated hackers from India. We have encrypted all your files so we can get your money. All your important files has been encrypted which means you are going to pay us a ransom of 349 USD in Bitcoins. So first of all you can decrypt to of your important files and we will show you which files has been decrypted. Just so you can see that we do have your decryption key, and you will be able to buy it from us. You won't be able to get your important files back if you don't buy your decryption key. Notice a clock on the side, when that date arrives your important files will be deleted(You have 24 hours to pay the ransom).

You will be able to get Bitcoins, at sites such as or There are also others, but usually these are the usual choice (Make sure to get a little bit more Bitcoins, due to transaction fees and the crypto currency is very volatile. Its also a good idea to get the Bitcoins, as soon as possible, because sometimes the purchasing process can take hours. You would also need a wallet for your Bitcoins if you are not using the wallet. When you have your Bitcoins in your wallet. You are going to download and install the for browser. Go to and then follow the instructions given there.

You need the for browser, because our payment website is located in darknet. When you have downloaded and installed the for browser. Go to this link: zpkjjp57apz76k3q[.]onion\Pay\PayThis\Payment_1000731.PHP When you are on the website, you simply transfer your Bitcoins to the address that are provided to you(You can copy the address and then paste it in your Bitcoin wallet when you are transfering the Bitcoins). When your Bitcoins arrive to our wallet, you will be notified and then be able to download the decryption key. When you have your decryption key, simply place the key in your C:\ And then get all your important files back. The ransomware will then decrypt everything and remove itself.

Here is the entire lists of the way it's done:
1. Decrypt 2 important files as proof of decryption key and we decrypt to keep a good reputation about RansomWarrior 1.0.
2. Get a Bitcoin wallet(If needed)
3. Get the Bitcoins from coinbase[.]com or localbitcoins[.]com or an alternative.
4. Download and install the for browser from
5. Go to our website: zpkjjp57apz76k3q[.]onion\Pay\PayThis\Payment_1000731.PHP
6. Pay your Bitcoins to the Bitcoin address showed.
7. When accepted download your decryption key and put it in your C:\.
8. Then decrypt all of your important files and wait till the ransomware deletes itself.'

Protecting Your Data from the RansomWarrior 1.0 Ransomw

The best protection against threats like the RansomWarrior 1.0 Ransomware is to have file backups. Apart from file backups, you should have a reliable security program to prevent the RansomWarrior 1.0 Ransomware from being installed. File backups and security software can help prevent the worst consequences of threats like the RansomWarrior 1.0 Ransomware.

SpyHunter Detects & Remove RansomWarrior 1.0 Ransomware

File System Details

RansomWarrior 1.0 Ransomware may create the following file(s):
# File Name MD5 Detections
1. ransom-warrior-sample-check.exe d7d38fe6f2e94f0d0210a9e15ef45e4e 6
2. file.exe 36f130c8abbd25c056b3ee1d1605a6ba 0


Most Viewed