RZA Ransomware

Despite lacking any significant improvements, the RZA Ransomware, a new variant belonging to the Dharma malware family, is nevertheless a threat that can lock users out from accessing their own personal or business-related files. By initiating an encryption process with a strong cryptographic algorithm, the RZA Ransomware renders unusable all documents, PDFs, archives, databases, photos, etc. stored on the compromised computer.

Each encrypted file is marked by having its name changed drastically. The threat first appends an ID number for the specific victims, followed by an email address under the control of the attackers, and finally, '.RZA' as a new file extension. The email address placed in the encrypted files' names is 'ghostdog@onionmail.org.'

When the threat has finished locking the files on the system, it will proceed to deliver its ransom notes. Users are left with two versions of the ransom-demanding message. One is delivered via a text file named 'info.txt' while the proper instructions are presented in a pop-up window.

RZA Ransomware's Demands

Both notes delivered by the threat lack many vital details. They do not state the sum of the ransom demanded by the hackers nor if the money will have to be transferred using any of the various cryptocurrencies. Usually, ransomware operators allow their victims to send a couple of small files that will then be decrypted for free. RZA's note doesn't mention such an offer, either.

It simply states that victims should first send a message to the 'ghostdog@onionmail.org' email address. If they do not receive an answer within 12 hours, affected users should try contacting the reserve address at 'ghostdog@msgsafe.io.' The rest of the ransom note consists of various warnings.

The full text of the message displayed in the pop-up window is:

'YOUR FILES ARE ENCRYPTED
GHOSTDOG

Don't worry, you can return all your files!
If you want to restore them, write to the mail: ghostdog@onionmail.org YOUR ID 1E857D00
If you have not answered by mail within 12 hours, write to us by another mail:ghostdog@msgsafe.io

ATTENTION!
We recommend you contact us directly to avoid overpaying agents

Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

In the 'info.txt' file, victims will find the following instructions:

all your data has been locked us
You want to return?
write email ghostdog@onionmail.org or ghostdog@msgsafe.io.'