SHTORM is a type of ransomware that encrypts files on infected computers and demands payment in exchange for a decryption key. The first instances of SHTORM were detected in 2019, and it has since been responsible for numerous attacks worldwide. The SHTORM Ransomware belongs to the Phobos Ransomware family of threats.
Table of Contents
How the SHTORM Ransomware Enters a Computer
The SHTORM Ransomware is typically delivered via torrent websites, compromised emails, unsafe advertisements or vulnerabilities in software on the victim's computer. Once installed, it will scan the computer for specific file types to encrypt, such as documents, images, and archives. The encrypted files are renamed with a unique extension, '.SHTORM', and two ransom notes named info.hta and info.txt are left in each folder that contains encrypted files.
The Ransom Note Delivered by the SHTORM Ransomware
The ransom note typically contains instructions on how to pay the ransom, which is usually demanded in Bitcoin or another cryptocurrency. It also provides the means to contact the attackers to negotiate the ransom fee, in this case the addresses firstname.lastname@example.org (Email), @Stop_24 (Telegram), Tox messenger.
Like other types of ransomware, SHTORM can cause significant disruption and financial losses for businesses and individuals. Therefore, it is essential to take steps to prevent infection, such as keeping software up-to-date, using strong passwords, and being cautious when opening emails and attachments from unknown senders. Additionally, it is recommended to regularly back up crucial files and keep them stored in a secure location in case of a ransomware attack.
How to React in case of an infection with the SHTORM Ransomware
If your computer becomes infected with the SHTORM Ransomware, the first step is to disconnect it from the Internet right away. This will prevent any further spread of the infection and stop additional data from being encrypted. You should also run an anti-malware scan on your system to detect any malicious files that could have been used in the attack.
Once you are sure that your system is no longer connected to the Internet, try to identify which files were encrypted by SHTORM. If possible, back up these encrypted files onto an external storage device or cloud storage service so that you do not lose them completely if you decide not to pay the ransom demand.
You should never attempt to pay a ransom demand as there is no guarantee that you will receive a decryption key or even unlock all your encrypted files after paying. Instead, contact a security expert who can help assess the situation and provide advice on how best to proceed. They may be able to recover your files without paying the ransom.
The following is the info.txt ransom note presented by the SHTORM Ransomware to its victims:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com
Write this ID in the title of your message 9ECFA84E-3351
If you do not receive a response within 24 hours, please contact us by Telegram.org account: @Stop_24
Or write us to the TOX messenger: 0DDF76854C8F9E3287F5EC09E4A3533E416F087BC4F7FEFD330277288F96575DFE950C3168DD
You can download TOX messenger here hxxps://tox.chat/
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The info.hta ransom message reads:
'!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: firstname.lastname@example.org.
If we don't answer in 24h, send messge to telegram: @Stop_24
Or write us to the TOX messenger: 0DDF76854C8F9E3287F5EC09E4A3533E416F087BC4F7FEFD330277288F96575DFE950C3168DD'