Sphinx Ransomware

Malware researchers have uncovered a new data-encrypting Trojan in search of new victims. This new threat was dubbed the Sphinx Ransomware. It does not appear that the Sphinx Ransomware belongs to any of the popular ransomware families.

Propagation and Encryption

The infection methods utilized in the spreading of this nasty Trojan are not yet known. Researchers believe that the creators of the Sphinx Ransomware may be using mass spam email campaigns to propagate this threat. This would mean that targeted users will receive an email containing a fraudulent message and an attached file. The message’s goal is to convince the user that it is safe to launch the attachment. However, the attachment is usually a macro-laced document, and opening it will allow the Sphinx Ransomware to execute its corrupted script. Of course, there are other propagation methods when it comes to distributing ransomware threats such as fake application updates, torrent trackers, and many more. The Sphinx Ransomware will scan the user’s data as soon as it compromises their computer. This data-locking Trojan looks for the most popular file types, so rest assured that any photos, audio files, documents, videos, etc. will be targeted by the Sphinx Ransomware. Next, the Sphinx Ransomware will begin locking all the targeted files by applying an encryption algorithm. When this Trojan encrypts a file, it also alters its file name. The Sphinx Ransomware adds a ‘.sphinx’ extension to the newly encrypted files. The result is that a file you had named ‘chewing-gums.jpeg’ will be renamed to ‘chewing-gums.jpeg’ as soon as the encryption process of the Sphinx Ransomware is through.

The Ransom Note

When the Sphinx Ransomware has locked all the data it was after, it will drop its ransom note. The note’s name is ‘HOW TO DECRYPT FILES.txt’ and it reads:

’// You are become victim of Sphinx ransomware!
[*] What Happened?
Your network is compromised and all your machines has been encrypted!
We have exploited your network vulnerabilities and encrypted all of your machines data with,
powerful hybrid cryptosystem, RSA-4096 and AES-256.
There is no way to break the encryption except with your network private key and special decryption software!
The only way to recover your data is buy them through our page on Hidden Network.
[*] How to Access Hidden Network?
1. Download Tor Browser - https://www.torproject.org/download/
2. Start it and wait for the load.
3. Visit link below with Tor Browser:
http://decrypt5bub45vpr.onion/7f6243f6ce9604fb762933bb4e72548e
4. Follow the instructions on our page.
[*] WARNING!
YOUR TIME TO PAY IS LIMITED TO 96 HOUR.
DON'T WASTE YOUR TIME TO SEARCH ON INTERNET, BEFORE OUR SERVICE REMOVE YOUR NETWORK PRIVATE KEY.
***
IF YOU DO NOT THINK ABOUT TO PAYMENT!
WE SELL YOU'R COMPANY'S PRIVATE DATA ON DARK MARKETS!
YOU CAN ASK US FOR PROOF ANY TIME!
***’

Cyber crooks often use all caps when naming their ransom notes, as it is more likely to attract the attention of the victim. The threat managers do not mention what the ransom fee is. They state that the ransom fee is to be paid on a Tor-based payment page. However, this Tor-based payment page appears to be offline. The authors of the Sphinx Ransomware give a deadline of 96 hours after the attack has taken place.

Avoid any contact with cybercriminals. Furthermore, paying a ransom fee means that your money goes towards their future criminal activity. On top of that, there is no guarantee that they will send you the decryption key you need to reverse the damage done to your data. This is why it is much safer to trust a reputable antivirus solution to remove the Sphinx Ransomware from your computer safely.