TaRoNiS Ransomware Description
The TaRoNiS Ransomware Trojan is one of the new versions of the Xorist Ransomware to come out in July 2018. The threat is lurking in spam emails that welcome users to load a corrupted Microsoft Word document, which includes a script that installs the threat onto your machine. The emerging TaRoNiS Ransomware was preceded by the Xorist-Frozen Ransomware (February) and the Xorist-XWZ Ransomware (March).
The new variant appears to feature small changes to the encryption algorithm and completely new obfuscation layers, which allowed it to circumvent some security policies. The TaRoNiS Ransomware functions as most standard crypto-threat samples we have seen so far. The program maps the connected data storage and compiles a list of files suitable for encryption. The Trojan produces a unique encryption key, which is used to block access to the user's content, and a decryption key is exported to a remote server under the control of the threat actors. The affected files feature the '.TaRoNiS' suffix and something like 'Rosemallows.pptx' is renamed to 'Rosemallows.pptx.TaRoNiS.' The ransom message is presented as 'HOW TO DECRIPT FILES.txt' that says:
I am truly sorry to inform you that all your important files are crypted.
If you want to recover your encrypted files you need to follow a few steps.
Atention!! I do not offer for free the decrypt key, for that you have to pay 0.08 BITCOIN.
Step 1: Create an account on www[.]localbitcoins[.]com
Step 2: Buy 0.08 BITCOIN
Step 3: Send the amount on this BTC address: 13oiwC4kgTvzjJNzEXe2n8ubxJyCvHrKfJ
Step 4: Contact me on this email address email@example.com with this subject: ID-RESTORE-008TARONISPCID0381723
After this steps you will receive through email the key and a decrypt tutorial.
Here is another list where you can buy bitcoin:
The threat actors may offer a decryptor to any user who is willing to make a risky payment of 0.08 Bitcoin (≈597 USD/512 EUR) to a predetermined wallet address. We encourage users to use backups and older versions of their data to restore normal computer activity as opposed to paying the money to the threat actors. It should be noted that the TaRoNiS Ransomware does not interfere with the Windows files and your system should remain stable. However, personal photos, saved music, and videos are not likely to be readable. Remove the TaRoNiS Ransomware using a trusted anti-malware application and make sure to add a good backup manager to Windows.