Threat Database Ransomware '' Ransomware

'' Ransomware

By GoldSparrow in Ransomware

The '' Ransomware is an encryption ransomware Trojan. The '' Ransomware, like most threats of this type, is typically delivered to the victims via compromised spam email attachments, often in the form of Microsoft Office files with embedded macro scripts. The '' Ransomware is installed in hidden folders in either the TEMP or APPDATA directories on the infected computer. Once installed, the '' Ransomware carries out an attack that consists of encrypting the victim's files to make them inaccessible. This is a typical attack strategy used by ransomware Trojans, which then tries to extract a payment from the affected user in exchange for restoring the compromised data.

The '' Ransomware and the Files It Targets

The '' Ransomware uses a strong encryption algorithm to make the victim's files inaccessible. Threats like the '' Ransomware tend to target the user-generated files, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '' Ransomware changes the affected files names by including the file extension '.protected' to the end of each file's name.

The '' Ransomware's Curious Ransom Demand

The use of the '.protected' file extension ties into the '' Ransomware's tactic, which rather than outright demanding a ransom payment like most encryption ransomware Trojans, claims that the '' Ransomware has encrypted the victim's files as part of a security service from Protonmail, an email service provider. This message is contained in a text file dropped on the infected computer's desktop, 'SECURITY-ISSUE-INFO.t,' and contains the following message:

Your SERVER was tried to be attacked by an outsider.
Immediatly change your password, use a minimum of 8 characters in length.
All your personal files was encrypted with RSA public key (1024 bit) to SAVE them from a third party persons.
Now they are ENCRYPTED and SAFE!
To RESTORE all your files back immediatly, follow this few simple steps:
1) Our SECURE-SERVER service charge a payment for file decryption and preventing damage of your SERVER by 3th party persons;
2) After your SUCCESSFUL payment, write us an E-MAIL with your unique SERVER-ID and Payment ID;
3) Receive an DECRYPTION TOOL from us back to your E-MAIL;
4) Run the tool on your SERVER and safe-decrypt all your files back to NORMAL state.
We STRONGLY RECOMMEND you NOT to use any other decryption tool, files will be LOST! Only our DECRYPTION TOOL can turn back your files.
We guarantee:
100% Successful restoring all of your files
100% Satisfaction guarantee
100% Safe and secure service
As a proof, you can send us 1 file and we will DECRYPT it for free and send it back to you.
Payment type: Bitcoin
Summ: $780
Our wallet: 18LCfKRDDVmQeWK5Pvqy3HgrEQqBrDtGvG
[redacted 0x200 bytes in base64]
For any questions, write us:

There is, of course, no truth to these statements. Therefore, contacting the criminals responsible for the '' Ransomware attack or paying any ransom amount usually is a waste of effort and money.


Most Viewed