SWIFT Ransomware

Researchers have discovered a novel ransomware threat named the SWIFT Ransomware, which poses a significant risk to the security of victims' data. This threatening software utilizes a robust encryption algorithm, rendering a wide array of files completely inaccessible. Notably, the SWIFT Ransomware goes beyond mere encryption, as it actively alters the filenames of affected files, changes the desktop wallpaper on the compromised system, and generates a ransom note titled '#SWIFT-Help.txt.'

The file renaming process involves appending the email address 'swift_1@tutamail.com' and a. 'SWIFT' extension to the original filenames. For instance, a file originally named '1.png' would be transformed into '1.png.[swift_1@tutamail.com].SWIFT,' and similarly, '2.pdf' would become '2.pdf.[swift_1@tutamail.com].SWIFT,' and so on. This strategy serves to identify the files that have fallen victim to the ransomware attack.

Further investigation by researchers has confirmed that the SWIFT Ransomware is a variant associated with the Proton malware family.

The SWIFT Ransomware Extorts Its Victims for Money

The ransom note produced by the SWIFT Ransomware starts by presenting the dire situation, explaining that the perpetrators have employed advanced encryption algorithms, specifically AES and ECC, to encrypt and pilfer all of the victim's files. The use of these algorithms is highlighted as making file recovery without the decryption service offered by the attackers virtually impossible.

Following this, the note outlines the steps necessary for recovery, emphasizing the attackers' financial motives. The cybercriminals propose a transaction where the victim can obtain decryption software and ensure data destruction by making a payment. To establish credibility, the group suggests sending a small, unimportant file (less than 1 MB) for decryption as a demonstration of their ability to fulfill their promises.

Contact details for communication are provided, including an email address (swift_1@tutamail.com) and Telegram ID (@swift_support). An alternative email address (swift@onionmail.com) is offered in case of a lack of response within 24 hours. The victim is instructed to include their ID in the email subject for identification purposes.

The note concludes with stern warnings against seeking assistance from data recovery companies, cautioning that such entities may exploit the situation for financial gain. Furthermore, the victim is strongly advised against delaying payment and cautioned against deleting or modifying encrypted files to avoid potential complications during the decryption process.

It is emphasized that paying ransoms is strongly discouraged, as it not only perpetuates criminal behavior but also does not guarantee the successful recovery of data. Victims are urged to explore alternative methods for dealing with ransomware attacks that do not involve giving in to the demands of the attackers.

How to Protect Your Data and Devices from Ransomware Threats?

To keep their data and devices safe from ransomware threats, users should adopt a comprehensive approach to cybersecurity. Here are five essential security measures that should be implemented on all devices:

Regular Backups: Ensure that regular backups of critical data are performed. Backups should be stored in an isolated environment, such as an external hard drive or a secure cloud service.

Automate the backup process whenever possible to reduce the likelihood of forgetting to back up critical information.

Up-to-date Software and Security Patches:

1. Keep operating systems software updated with the latest security patches.
2. Regularly install updates to address vulnerabilities that cybercriminals may exploit.
3. Enable automatic updates to ensure that security patches are applied promptly.

Use Robust Anti-Malware Solutions:

1. Install reputable anti-malware software on all devices.
2. Make sure that the security software is regularly updated to detect and defend against evolving ransomware threats.
3. Execute regular scans to identify and eliminate potential malware on the device.

Exercise Caution with Email and Internet Usage: Be wary of phishing emails and unknown attachments. Avoid clicking on dubious links or downloading files from unverified sources.

Use email filtering tools to detect and filter out potentially harmful emails. Keep yourself and your team educated about the signs of phishing attempts.

Implement User Education and Awareness: Educate users about the risks associated with ransomware and the importance of cybersecurity hygiene. Promote strong password practices, including the use of unique passwords and Two-Factor Authentication (2FA) where possible.

Encourage a culture of skepticism, where users check the legitimacy of requests for sensitive information or unexpected file downloads.

By incorporating these security measures into their routine practices, users can significantly enhance their defenses against ransomware threats. A multi-layered approach that combines regular backups, software updates, robust security solutions, cautious online behavior, and user education can collectively create a strong defense against the evolving landscape of cyber threats.

The ransom note dropped by the SWIFT Ransomware reads:

'~ SWIFT ~

What happened?
We encrypted and stolen all of your files.
We use AES and ECC algorithms.
Nobody can recover your files without our decryption service.

How to recover?
We are not a politically motivated group and we want nothing more than money.
If you pay, we will provide you with decryption software and destroy the stolen data.

What guarantees?
You can send us an unimportant file less than 1 MG, We decrypt it as guarantee.
If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.

How to contact us?
Our email address: swift_1@tutamail.com
Our Telegram ID: @swift_support
In case of no answer within 24 hours, contact to this email: swift@onionmail.com
Write your personal ID in the subject of the email.

>
Your personal ID: - <<<<< >

Warnings!

Do not go to recovery companies, they are just middlemen who will make money off you and cheat you.
They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you.

Do not hesitate for a long time. The faster you pay, the lower the price.

Do not delete or modify encrypted files, it will lead to problems with decryption of files.'

The message delivered by SWIFT Ransomware as a desktop background image is:

'!!! SWIFT !!!

We encrypted and stolen all of your files.
Our email address: swift_1@tutamail.com
In case of no answer within 24 hours, contact to this email: swift@onionmail.com
Your personal ID:'