SorryForThis Ransomware

Cybercriminals from all over the world keep developing and distributing ransomware threats. This is due to the fact that even individuals with little skill and almost no experience in the field of cybercrime can try their luck with a ransomware threat. This is because it is very easy for one to get their hands on the code of already existing data-encrypting Trojans and alter it to their liking. One of the newest file-locking Trojans spotted in the wild is called the SorryForThis Ransomware.

The Authors Have Likely Used a Free Ransomware Builder

Upon dissecting the SorryForThis Ransomware, malware researchers concluded that it is highly likely that the authors of this threat may have used a free ransomware builder. These builders are available online and make it much easier for shady individuals to create data-encrypting Trojans without too much effort. The researchers studying the SorryForThis Ransomware came to this conclusion as they spotted stark similarities between this ransomware threat and two other variants dubbed Cyclone Ransomware and Noblis Ransomware. All three ransomware threats appear to have very similar code and design.

Propagation and Encryption

It is not clear how the SorryForThis Ransomware is being distributed exactly. Some speculate that the creators of the SorryForThis Ransomware are taking utilizing mass spam email campaigns to spread this threat. This is likely the most common technique of spreading ransomware threats. The emails in question often contain a corrupted attachment that the user is urged to open. Upon opening the attached file, the users also will trigger the execution of the bad code it carries, and infect their PCs. There are other infection vectors that can be used to distribute ransomware threats such as bogus software updates, torrent trackers, and pirated copies of popular applications. Data-locking Trojans make sure to cause enough damage to the compromised host that the user will consider paying up the ransom fee demanded. This is why they often target a very long list of file types, as this increases their chances of being paid. The SorryForThis Ransomware will scan the system looking for the aforementioned filetypes, and once they have been located, the threat will begin its encryption process. All the encrypted files will likely be given an additional extension at the end of their file names.

The Ransom Note

After the encryption process is through, the SorryForThis Ransomware will present the user with its ransom note, which pops up in a new window. The background of the window is red, and the note states, "YOUR FILES HAVE BEEN ENCRYPTED!." The attackers claim to have used the AES-256 encryption algorithm. They state that the victim needs to pay a ransom fee in exchange for a decryption key, which will supposedly unlock all the affected files. The ransom fee mentioned is 0.08 Bitcoin (which is $740 approximately at the time of typing this post). The attackers also appear to have set a 24-hour deadline and claim that unless the ransom fee is paid within this timeframe, they will destroy the decryption key, which the victim needs to unlock their data.

We would advise you against working with cyber crooks. They do not tend to keep their promises, and you may never receive the promised decryption key even if you pay the hefty sum demanded. You should consider downloading and installing a reputable anti-virus software suite, which will not only help you remove the SorryForThis Ransomware from your system but keep your computer safe in the future.