Snwd Ransomware

Snwd Ransomware Description

The Snwd Ransomware is a variant from the threatening Dharma family. Cybercriminals can use the threat to lock the data of their victims via a strong encryption algorithm. Ransomware threats can typically affect numerous important file types, such as documents, archives, databases, PDFs, etc. The goal of the attackers is to lock important private or corporate files and then extort the victims for money.

Being a Dharma variant, the Snwd Ransomware follows the typical behavior for threats of this family. It heavily modifies the names of the affected files. First, it adds an ID generated specifically for the victim. Second, an email under the control of the hackers will be appended. Finally, the encrypted file will now carry the '.snwd' extension. Two ransom notes will be delivered to the breached systems. One displayed in a pop-up window and one inside a text file named 'info.txt.'

Ransom Note's Overview

The message found inside the text file is extremely short, and lacks most of the typical details, such as the amount of the ransom demanded by the threat actors and if the funds must be transferred using a specific cryptocurrency. Instead, affected users are simply told to contact the two provided email addresses to receive additional instructions. While a bit longer, the ransom note shown in the pop-up window is not that much more useful. It reiterates the same two email addresses - 'snowwind@tutanota.com' and 'snowwind@msgsafe.io,' and concludes with various warnings. Users are told that attempts to unlock the files with third-party programs could damage the data and make it unrecoverable.

The text delivered via the '.info.txt' file is:

'all your data has been locked us
You want to return?
write email snowwind@tutanota.com or snowwind@msgsafe.io

The ransom note in the pop-up window is:

YOUR FILES ARE ENCRYPTED
1024
Don't worry, you can return all your files!
If you want to restore them, write to the mail: snowwind@tutanota.com YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:snowwind@msgsafe.io
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
'