STAFS Ransomware

Recently, malware experts have spotted a brand-new file-encrypting Trojan rearing its ugly head. This new threat is called the STAFS Ransomware. An increasing number of cyber crooks are giving building ransomware a try as spreading data-locking Trojans can prove to be a very profitable pursuit.

Propagation and Encryption

Upon uncovering the STAFS Ransomware, the cybersecurity researchers decided to dissect it. Once they did that, they quickly realized that the STAFS Ransomware is a variant of the wildly popular Dharma Ransomware. We are not aware of the exact propagation method the authors of the STAFS Ransomware have employed. Some experts speculate that the most common propagation techniques may be at play here. That means that it is likely that the attackers have used mass spam email campaigns, alongside fake application updates, and pirated fake variants of legitimate software tools as a means of spreading their creation. Once the STAFS Ransomware manages to worm its way into your PC, it will start the attack by initializing a brief scan. The idea of the scan is to locate the data that the STAFS Ransomware was programmed to target. Next, the STAFS Ransomware will start locking all the targeted files. The next phase of the attack is the encryption process. After undergoing the encryption process of the STAFS Ransomware, all the files' names will be changed. The STAFS Ransomware adds a '.id-.[porasa@qq.com]. STAFS' extension at the end of each file name.

The Ransom Note

When the encryption process of the STAFS Ransomware is completed, this data-locking Trojan will drop its ransom note. The note is likely called 'info.hta' as this is the typical name used in the Dharma Ransomware variants. The attackers fail to mention a specific ransom fee, which will be demanded from the victim. The authors of the STAFS Ransomware offer to unlock one file free of charge (as long as it does not exceed 1MB in size) so that the user is convinced that the attackers have a functioning decryption key. There is an email address provided as a means of contacting the attackers – 'porsa@qq.com.'

It is never advisable to contact cybercriminals like the ones behind the STAFS Ransomware. More often than not, they will not hold up their promises but will take your money regardless. It is much safer to obtain a reputable anti-malware solution, which will not only remove the STAFS Ransomware from your computer safely but also will make sure you never find yourself in such a situation again.