Razer Ransomware
The Razer Ransomware was created specifically to encrypt the most important files on the devices it infects. That is a well-used technique to make the files unusable so that the threat actors can try to extort their victims for money, by selling them the required decryption software that contains the decryption key. This is the typical behavior presented by almost any ransomware threat. The Razer Ransomware is a new version of the Makop Ransomware, which we described before.
As part of its encryption process, the Razer Ransomware appends to the name of each targeted file a new file extension that, in this case, is '.[<VICTIM ID>].[razer1115@goat.si].razer.' A file containing instructions for the victims will then be created on the infected system. It will take the form of a text file named 'readme-warning.txt.'
A Very Poor RansomNote
The ransom note contains just a few elements for the message's objective. Victims are warned that they must use the crypto-currency Bitcoin to pay the demanded ransom. However, there is no proof that they will honor their part of the deal and victims scared enough to pay the ransom may end up without their money and their data. Another piece of information that the criminals provide is their email addresses - azer1115@goat.si, pecunia0318@goat.si and pecunia0318@tutanota.com. The first step users infected with the Razer Ransomware need to take is to use an anti-virus scanner to remove it and its files. Then, they may try to restore their files from a backup if there is one available or look for other decryption solutions.
The full ransom note reads:
'::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted and now have the "razer" extension. The file structure was not damaged, we did everything possible so that this could not happen.
.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in bitcoins.
.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
.4.
Q: How to contact with you?
A: You can write us to our mailbox: razer1115@goat.si or pecunia0318@tutanota.com or pecunia0318@goat.si
.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.'
