Unknown Ransomware
Researchers have uncovered a new ransomware variant, which is being tracked as the Unknown Ransomware. This threatening software encrypts files and changes their filenames, adding the victim's ID, the 'masterfix@tuta.io' email address, and the ".unknown" extension to them. The Unknown Ransomware also creates two ransom notes in the form of 'info.hta' and 'info.txt' files. The Unknown Ransomware belongs to the Phobos family of malware.
An Overview of Unknown Ransomware's Demands
The Unknown Ransomware encrypts victims' data and demands a ransom payment in exchange for decryption. Victims are told to contact the threat actors via email ('masterfix@tuta.io') or Telegram ('@Stop_24') to receive further instructions. The main ransom note ('info.hta') states that the price of the data decryption depends on how quickly victims contact the threat actor. It also warns against attempting to decrypt files using third-party software, as it may result in your data been lost permanently. Victims have the chance to send up to five files for free decryption.
How do Threats Like the Unknown Ransomware Infect Devices?
One of the most favored methods used to spread ransomware is through weaponized email attachments. These email messages often contain malware-laced executable files or corrupted macros embedded in documents to infect your system when victims open them.
Drive-by downloads or malvertising also may be used as a way to disseminate ransomware threats. Drive-by downloads allow hackers to remotely install malware onto unsuspecting users' computers without their knowledge or consent. They often use pop-ups or redirects that force users into downloading hidden ransomware onto their systems without ever visiting a website, clicking on an email attachment, or agreeing to any kind of download prompt.
The ransom note is shown in a pop-up window and reads:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail masterfix@tuta.io
Write this ID in the title of your message -
If you do not receive a response within 24 hours, please contact us by Telegram.org account: @Stop_24
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The ransom-demanding message delivered as a text file reads:
'!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: masterfix@tuta.io.
If we don't answer in 24h, send messge to telegram: @Stop_24'
