RONALDIHNO ENCRYPTER Ransomware
The RONALDIHNO ENCRYPTER Ransomware threat can be used in attack operations targeting the data on infected devices. By running an encryption routine on the victim's system, the threat will lock any documents, PDFs, images, archives, databases, etc. The operators of the RONALDIHNO ENCRYPTER Ransomware will then extort the affected users for money, in exchange for providing them with the necessary software tool and decryption keys that could restore the locked files.
Whenever the threat impacts a file, it also modifies that file's original name by adding '.cr7' to it as a new extension. In addition, it will change the current desktop wallpaper, and create a text file named 'READ_THIS.tx,' as a way to deliver two ransom notes with instructions for the impacted users.
The message shown as a desktop background states that victims must message the 'dupex876@gmail.com' email address for additional information. It also states that the attackers accept nearly all cryptocurrencies for ransom payments. Curiously, both ransom notes also specifically state that users in Poland can pay the hackers via BLIK, which could be a sign that the RONALDIHNO ENCRYPTER Ransomware is focused primarily on targets from that country.
The text file reiterates most of the same information, but also contains several important warnings. Apparently, stopping the process of the threat via Task Manager could result in system errors and blue screens. Changing the extensions of the encrypted files could damage them. The ransom note reveals that victims have just 24 hours to pay $20 as a ransom to the attackers.
The full text of the RONALDIHNO ENCRYPTER Ransomware note is:
'Welcome to
RONALDIHNO ENCRYPTER
READ INSTRUCTION
READ ALL 😀Okay you got my virus, so if you want decrypt your all files you must follow my instruction
Dont kill proccess in task manager, if you kill my virus your computer can get bluescreen and hardware lock
If you change file exstesion ( myfile.lock - myfile.png ) you files can get DELETED only if you change files extesion!
You dont like my ransomware but you want decrypt all files? you must pay for DECRYPT-KEY, it's only 20$
Recommended payments - Bitcoin , Litecoin , Etherum
If you are from polish you can pay via BLIK or Paysafecard
I F O R M A T I O N
YOU HAVE 24H TO PAY ME OR YOUR FILES GET DELETED ,- YOUR SYSTEM TOO! and hardware!'
The instructions shown as a desktop wallpaper are:
'!!!
Questions? - dupex876@gmail.com
you have 24h to pay us
we accept all crypto methods
For poland we have BLIK'
