Unicorn Ransomware

There is a brand-new ransomware threat targeting innocent users online - the Unicorn Ransomware. This newly detected data-encrypting Trojan appears to target computer users located in Italy. It is likely that this is a new project as the Unicorn Ransomware does not appear to be linked to other ransomware families.

Propagation and Encryption

According to cybersecurity experts, the Unicorn Ransomware is not propagated via the usual means – phishing emails, torrent trackers, fake updates/downloads, etc. Instead, the authors of the Unicorn Ransomware have set up a bogus website hosted at Fofl(dot)it. The cyber crooks have used this domain name to trick users into believing that they are visiting the legitimate Fofi.it. This is the genuine domain name used by the Italian Federation of Pharmacists (in Italian Federazione Ordini Farmacisti Italiani). If the users fail to spot the one-letter difference in the domain names, they may end up falling for the trickery of the Unicorn Ransomware’s authors. To make this tactic believable, the attackers have copied the design of the original website. The bogus Web page offers users to download a COVID-19 map, which is meant to be an updated variant of the one on the site. However, the file pushed by the Fofl(dot)it site is not a legitimate map but a copy of the Unicorn Ransomware. Once the Unicorn Ransomware compromises the targets’ PCs, it will encrypt their files. Once locked, the files will be unusable until the victim decrypts them with the appropriate key. Of course, the attackers will not offer the decryption key freely – users will be asked to pay a ransom fee. The locked files will have an extra extension appended to them – ‘.fuckunicorn[RANDOM CHARACTERS].’

The Ransom Note

The Unicorn Ransomware drops a ransom note on the system of the user. The name of the file containing the ransom message of the attackers is ‘READ_IT.txt.’ The ransom note is written in Italia entirely. In the note, the authors of the Unicorn Ransomware state that the ransom fee required is $300 in the shape of Bitcoin. To contact the attackers, the victim is asked to write to ‘xxcte2664@protonmail.com.’

It is certainly not advisable to contact or pay cybercriminals like the creators of the Unicorn Ransomware. There is no guarantee that they will send you the decryption key you need regardless of whether you pay the ransom fee or not. Make sure to eliminate the Unicorn Ransomware from your computer with the help of a genuine anti-virus software suite.