TCYO Ransomware
Infosec researchers have discovered a new Dharma variant that has been unleashed in the wild. Named the TCYO Ransomware, it aims to infiltrate the computers of its victims, initiate an encryption process that locks a large array of file types and then extort the affected users for money.
Each encrypted file will have its name changed drastically. TCYO follows the naming patterns observed in other Dharma variants. First, it adds the ID number assigned to the victim, then appends an email address under the control of the hackers, and finally, places '.TCYO' as a new file extension. The email address used by TCYO in the file names is 'yourfiles1@cock.li.
Victims of the threat are left with two ransom notes containing instructions from the criminals. The main note is displayed in a pop-up window while a shorter version of the message is dropped on the desktop of the compromised system as a text file named 'FILES ENCRYPTED.txt.'
TCYO Ransomware's Demands
The text file doesn't contain any meaningful details about the demands of the hackers. It only tells victims to initiate contact by sending a message to two provided email addresses - 'yourfiles1@cock.li' and 'tcprx@tutanota.de.' The pop-up window provides a bit more information. It shows the victim's ID number and states that the second email address is supposed to be used only if the user doesn't receive an answer for more than 12 hours after messaging the first email. The pop-up window concludes with various warnings such as not renaming the encrypted files or trying to unlock them via third-party programs.
The entire message found inside the text file is:
'all your data has been locked us
You want to return?
write email yourfiles1@cock.li or tcprx@tutanota.de.'
The pop-up window delivers the following instructions:
'YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email yourfiles1@cock.li YOUR ID 1E857D00
If you have not been answered via the link within 12 hours, write to us by e-mail:tcprx@tutanota.deAttention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
