SIFRELI Ransomware

At the end of October, malware researchers spotted a new data-encrypting Trojan out in the wild. They have given it the name SIFRELI Ransomware. It does not appear that this Trojan belongs to any of the known ransomware families. It seems that this ransomware threat targets users located in Turkey mostly. Furthermore, the word 'sifreli' in Turkish means' encrypted.'

Propagation and Encryption

It has not yet been revealed how the attackers are propagating the SIFRELI Ransomware. Among the most common methods are fraudulent application updates, torrent trackers, and pirated copies of popular software services. However, the most popular technique of distributing ransomware threats is via mass spam email campaigns. The emails in question would include a corrupted attachment that, once launched, would infect the user's system. The SIFRELI Ransomware makes sure to target a very long list of filetypes, which are very likely to be found on any normal user's computer. These would include .mp4, .mp3, .jpeg, .jpg, .doc, .docx, .ppt, .pptx, .pdf, .mov, .png, .gif files among countless others. Then, the SIFRELI Ransomware will use an encryption algorithm to lock all the files targeted. The SIFRELI Ransomware appends a '.SIFRELI' or '.SIFRELI_DOSYA' extension to all the locked file's names. For example, a file called 'little-pug.jpeg' will be renamed to 'little-pug.jpeg.SIFRELI' or 'little-pug.jpeg. SIFRELI_DOSYA' when this data-encrypting Trojan locks it.

The Ransom Note

In the next step of the attack, the SIFRELI Ransomware would drop its ransom note. The note's name is 'fidye-uyari.txt.' It is very concise and written in Turkish entirely. It does not mention what the ransom fee is. The attackers only ask the victim to contact them via email ‘sifremicoz@protonmail.com' and warn them to make sure to attach a file called 'bootTel.dat' to their message.

It is not a good idea to attempt to contact cybercriminals. They will attempt to extort you while promising that they will provide you with a decryption key that will unlock all the affected data. However, cyber crooks like the ones responsible for the SIFRELI Ransomware keep their promises rarely, and you are likely to be left empty-handed even if you pay the sum they demand. A much safer approach in this difficult situation is to remove the SIFRELI Ransomware from your computer using a genuine anti-malware application. Then, you can attempt to recover some of the locked files using a third-party data-recovery application, but the results may not be satisfactory.