Threat Database Ransomware '' Ransomware

'' Ransomware

By GoldSparrow in Ransomware

The '' Ransomware is an encryption ransomware Trojan first observed on February 22, 2019. The '' Ransomware is part of a family of ransomware Trojans that combines elements of two ransomware families, Crysis and Dharma. Malware researchers have observed variants in this ransomware family released since Fall, 2018. Threats like the '' Ransomware have an encryption method that is derived from the Crysis Ransomware family of ransomware and connect to their Command and Control server by using methods reminiscent of the Dharma Ransomware. The '' Ransomware attack itself is typical of these threats, taking the victims' files hostage, and using it as the leverage to demand a ransom payment in exchange for the decryption key needed to restore affected data.

How the '' Ransomware Attack Works

The '' Ransomware will be delivered via a corrupted spam email attachment initially, often containing compromised macro scripts that download and install the '' Ransomware onto the victim's computer. Once the '' Ransomware is installed, it will use the AES and RSA encryptions to make the victim's files inaccessible, targeting the user-generated files, which may include numerous media files, documents and others file types such as:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '' Ransomware attack will change the targeted files and mark them with the file extension '.id-1E857D00.[].AYE,' which is added to the end of each affected file's name. The '' Ransomware then delivers a ransom note in the form of an HTA file named '' and a text file named 'FILES ENCRYPTED.tx' dropped on the infected computer's desktop. The '' Ransomware ransom note contains the following message:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail
Write this ID in the title of your message [user ID]
In case of no answer in 24 hours write us to theese e-mails:
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.'

Protecting Your Data from Threats Like the '' Ransomware

The best protection against threats like the '' Ransomware is to have backup copies of your data. Having the ability to restore any compromised files from a backup copy means that the criminals lose any kind of leverage they have over the victims at the moment of the attack. Apart from having backups, it is important to have a dedicated security program that is fully up-to-date, which can intercept the '' Ransomware before it carries out its attack.


Most Viewed