Sekhmet Ransomware

Cybersecurity researchers have uncovered a new ransomware threat called the Sekhmet Ransomware. Many cybercriminals opt to distribute ransomware threats like the Sekhmet Ransomware because they are perceived as an easy way to make a buck.

Propagation and Encryption

The Sekhmet Ransomware may be propagated with the help of spam emails. Authors of ransomware threats often use fake emails to spread their threatening creations. They would send the user an email that contains a bogus attached file, and a fraudulent message that would try to convince the user to open the attachment. What may appear as a harmless document can be a corrupted macro-laced file, so users need to be very careful when they receive an email from an unknown source. Some other commonly used propagation methods include fake application downloads and updates, torrent trackers, malvertising, etc. The Sekhmet Ransomware is very likely to target a wide variety of filetypes, as more encrypted files mean a higher chance for the attackers to be paid. The Sekhmet Ransomware would encrypt securely all the documents, images, audio files, videos, spreadsheets, archives, databases, presentations, and other filetypes that are present on the compromised computer. Once the Sekhmet Ransomware locks a targeted file, it also will change its filename. The Sekhmet Ransomware adds a new extension to all the locked files. The Sekhmet Ransomware generates a unique extension for each affected user. It would appear that this data-locking Trojan uses both lowercase and uppercase letters when generating an extension. For example, it could append the ‘.hALioS’ extension to all the locked files. This means that a file called ‘ivory-tiles.mp3’ originally will be renamed to ‘ivory-tiles.mp3.hALioS.’

The Ransom Note

The Sekhmet Ransomware would drop a note that contains the ransom message of the attackers on the user’s system – ‘RECOVER-FILES.txt.’ In the ransom note, the attackers state that unless the victim pays for a decryption key, they will be unable to recover their data. Then, the creators of the Sekhmet Ransomware instruct users on how to install the Tor Web browser – the only portal that will allow them to enter the Deep Web, which is where the page of the attackers is hosted. The user is required to enter the attackers’ page to contact them. For users who struggle to do so, the creators of the Sekhmet Ransomware have added a regular website – ‘Sekhmet.top.’

The long Sekhmet Ransomware ransom note reads like the following:

-----
| Attention! |
-----
Your company network has been hacked and breached. We downloaded confidential and private data.
In case of not contacting us in 3 business days this data will be published on a special website available for public view.
Also we had executed a special software that turned files, databases and other important data in your network into an encrypted state using RSA-2048 and ChaCha algorithms.
A special key is required to decrypt and restore these files. Only we have this key and only we can give it to you with a reliable decryption software.
-----
| How to contact us and be safe again |
-----
The only method to restore your files and be safe from data leakage is to purchase a private key which is unique for you and securely stored on our servers.
After the payment we provide you with decryption software that will decrypt all your files, also we remove the downloaded data from your network and never post any information about you.
There are 2 ways to directly contact us:
1) Using hidden TOR network:

a) Open our website: hxxps://sekhmet.top/1E857D009F862A38
b) Follow the instructions on this page
On this web site, you will get instructions on how to make a free decryption test and how to pay.
Also it has a live chat with our operators and support team.
-----------------------
|Questions and answers|
-----------------------
We understand you may have questions, so we provide here answers to the frequently asked questions.
====
Q: What about decryption guarantees?
A: You have a FREE opportunity to test a service by instantly decrypting for free 3 files from every system in your network.
If you have any problems our friendly support team is always here to assist you in a live chat.
====
====
Q: How can we be sure that after the payment data is removed and not published or used in any nefarious ways?
A: We can assure you, downloaded data will be securely removed using DoD 5220.22-M wiping standart.
We are not interested in keeping this data as we do not gain any profit from it. This data is used only to leverage you to make a payment and nothing more.
On the market the data itself are relatively useless and cheap.
Also we perfectly understand that using or publishing this data after the payment will compromise our reliable business operations and we are not interested in it.
====
====
Q: How did you get into the network?
A: Detailed report on how we did it and how to fix your vulnerabilities can be provided by request after the payment.
====
-----
This is techinal information we need to identify you correctly and give decryption key to you, do not redact!
---SEKHMET---
-
---SEKHMET---

The note warns victims of a breach in their network that was used to steal confidential data. The data will be published on the internet if payment isn’t made within three days. The data is locked and encrypted with RSA-2048 and ChaCha encryption algorithms. These algorithms can’t be broken and can only be unlocked if the victim pays a ransom to the criminals.

Victims have two ways to get in touch with attackers. The first is through their website, which requires Tor to open. The other is through another site targets can use if they can’t access the Tor website. These websites inform users of how they can pay for – and receive – the decryption tool. Victims are also offered the chance to decrypt one file for free as proof that the tool works. The last section of the note covers an FAQ that clarifies victims can have up to three encrypted files unlocked if they want. The criminals also claim they can offer a detailed report of how they managed to infect a system as soon as they receive payment.

Unfortunately, it is almost always impossible to recover lost data without assistance from cybercriminals. If the ransomware was still in the early stages of development and had flaws, security researchers could create a free decryption tool. Victims should never rely on such tools, though, and they should never rely on cybercriminals to follow through. Most people don’t receive the tools they are promised after making payment. Security researchers urge victims to not comply with the attacker’s demands.

The only way to securely restore an infected computer is through the use of file backups. Don’t forget to remove the Sekhmet ransomware from your computer as well to prevent further infections.

How Does Sekhmet Ransomware Get on Computers?

Ransomware, like Sekhmet, has several ways of getting on a computer. The most common infection methods are trojans, spam campaigns, illegal software cracking tools, fake software updates, and malicious download sites.

Trojan viruses are a kind of virus that causes chain infections (installing other viruses/malware). Spam campaigns involve attackers sending thousands of unsolicited emails in the hope that a small fraction of people falls for it. The emails contain malicious links or downloads that infect computers. Cracks are used to activate licensed products but may contain viruses instead. Fake software updates claim to update software but install malicious viruses instead. Malware could be downloaded unintentionally from an untrusted source, such as an unofficial third-party website or a peer-to-peer download network.

There is nothing concerning the ransom fee, but we can assure you that it will be no less than several hundred dollars.