The Magic Ransomware

The Magic Ransomware is an encryption ransomware Trojan that was first observed by PC security researchers on October 17, 2017. The Magic Ransomware is delivered to victims through the use of corrupted PDF or DOCX files with operational macro scripts that download and install The Magic Ransomware when the file is opened. These files are attached to spam email messages that use social engineering techniques to trick inexperienced computer users into opening the file attachment.

The Magic that will not Amaze Computer Users

The Magic Ransomware is based on HiddenTear, an open source ransomware platform that has been responsible for countless other encryption ransomware Trojans since it was first released in August 2015. The Magic Ransomware attack is mainly designed to attack computer users in Italy and includes a ransom note written in Italian (although there is nothing preventing The Magic Ransomware from being distributed outside of this region). The Magic Ransomware uses a combination of AES and RSA encryption to make the victim's files completely inaccessible. The Magic Ransomware targets the user-generated files while avoiding Windows system files or other files that would prevent the victim's computer from functioning. The Magic Ransomware's aim is to take the victim's files hostage, but it allows the system to remain functional so that a ransom note can be displayed. The Magic Ransomware will target a wide variety of file types in its attack, including files with the following extensions:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

The files encrypted by the Magic Ransomware attack are easy to identify because The Magic Ransomware will add the file extension '.locked' to the file's name.

The Magic Ransomware and Its Ransom Demands

After encrypting the victim's files, The Magic Ransomware delivers a ransom note in the form of a text file using the name 'READ_IT.txt' that is dropped on the infected computer's desktop after it finishes encrypting the victim's files. The text of this ransom note is in Italian. The Magic Ransomware's ransom note, translated into English, reads as follows:

'This computer has been hacked
Your personal data have been encrypted. They will be irreparable
untill you pay the ransom ... It is useless to try to decrypt them... Only I can do it now, follow
these steps to retrieve your files:
1 Go to h[tt]ps://localbitcoins.com/
2 Search for a bitcoin seller
3 pay to address [RANDOM CHARCTERS]
the amount of 100 euro if you do not know what bitcoin is:
h[tt]ps://www.focusjunior.it/tecnologia/bitcoin-cosa-sono-e-come-funzionano or look at this xxxxs: www[.]youtube[.]com/watch?v=g72aeVoOGLg
As soon as you make the payment you will receive the key to decrypt the data and retrieve the data ...
all data will be destroyed forever within 48 hours
Good luck
THE MAGIC :)'

Apart from displaying this ransom note, The Magic Ransomware will change the infected computer's desktop into a black image with the text 'YOU'VE BEEN HACKED!' in bright green letters. The Magic Ransomware will run as 'fattura.exe' on the infected computer, which may be an attempt to disguise the nature of its attack. It is not a good decision to pay the Magic Ransomware ransom or follow the instructions in The Magic Ransomware's ransom note. Instead, computer users should take effective precautions against these threats.