VIAGRA Ransomware

Ransomware attacks are on the rise and malware researchers detect more and more data-locking Trojans being pumped out every day. It would seem that everyone in the world of the cybercrime wants a piece of the pie – the more tech-savvy individuals build their own file-encrypting Trojans, while the less-able ones simply borrow the code of already existing ransomware threats. One of the latest additions is the VIAGRA Ransomware.

For the most part, VIAGRA Ransomware acts as a typical ransomware threat. It sneaks inside the victim's computer system, encrypts the user’s personal or business files, and demands a ransom for their restoration. In this case, the amount to be paid is set to 0.4 Bitcoins, which according to the criminals behind the VIAGRA Ransomware is equal to around $400. While this may have been true at one point, currently the price of a single Bitcoin stands at just above $8000. If you do the math, this means that victims of this malware will have to pay over $3000 for the decryption of their data.

The Symptoms of a VIAGRA Ransomware Attack

The main variants of VIAGRA Ransomware have been observed by the cybersecurity community. The most significant difference between them is the extension they attach to the end of the name of each encrypted file. The more common variant uses a string of random characters that ends with "==ObcK", while the other variant puts "==E3m7" ad the end of the random string.

No matter what the specific extension is, VIAGRA Ransomware's encryption which employs a combination of AES-256 and RSA-4096 encryption algorithms ensures that the files cannot be decrypted by anyone else besides the creators of the malware. The default Windows backup service won’t be of any help, either, because the volume shadow copies of the affected files are deleted by the ransomware through the command "vssadmin.exe delete shadows /all /Quiet."

VIAGRA Ransomware has been designed to target files located in specific folders such as "Documents and Settings" and "Users" in addition to around 200 different file types. Some of the file types encrypted by VIAGRA Ransomware are :

.$$$, .3dm, .3g2, .3ds, .3gp, .602, .apk, .asm, .arj, .au3, .avi, .band, .bik, .bat, .bin, .bit,.bmp, .bkp, .cad, .ccp4, .cdf, .cdr, .cer, .cfg, .cfm, .cgi, .class, .com, .conf, .cpp, .cps, .css, .csv, .dbg, .deb, .djvu, .doc, .dotm, .docm, .docx, .dot, .elf, .eml, .eossa, .erf, .eps, .fds, .flac, .gbc, .gadget, .gba, .gif, .gml, .gsm, .hpp, .html, .htm, .ico, .ihtml, .ini, .jar, .java, .jpg, .jsp, .jtd, .jpeg, .jtt, .key, .lip, .lua, .m4a, .mcpack, .maf, .mctemplate, .mkv, .mmp, .mp3, .mmpz, .mov, .mp2, .mpa, .mpp, .myd, .navpath, .ncf, .nfo, .nokogiri, .nrg, .nsh, .nth, .nvram, .oa2, .oa3, .obj, .obt, .obx, .obz, .ocr, .oda, .odb, .odf, .odg, .odif, .odl, .odo, .ogg, .opus, .osd, .osf, .osr, .osu, .p01, .p10, .p12, .p7b, .p7c, .pak, .pcd, .pdb, .pdc, .pdf, .peb, .pef, .pfx, .php, .pk3, .pkg, .ply, .png, .ppt, .pptm, .pptx, .prc, .ppx, .proofingtool, .prz, .ps1, .ps1xml, .pub, .pubx, .pyc, .pys, .qbm, .qbx, .r00, .rar, .rdb, .reg, .rss, .rtf, .rwlibrary, .sam, .sas7bdat, .sav, .sheet, .shtml, .sis, .skb, .sln, .smh, .spb, .spc, .sql, .sqlite, .sqlite1, .swift, .ssh, .ssx, .stone, .struct, .suf, .svg, .szs, .tar, .tar.gz, .tdr, .tex, .tga, .tgz, .thm, .tif, .tiff, .tml, .tor, .torrent, .txt, .url, .vbs, .vgm, .vid, .vob, .wad, .war, .wdb, .web, .webmoney, .wks, .wmv, .wpl, .wps, .wsf, .x11, .xhtml, .xlsx, .xla, .xls, .xlsm, .xml, .xpl, .xsl, .zip

After completing the encryption process, VIAGRA Ransomware creates a ".bmp" image, which it sets as a new desktop background. It contains the following text:

Your files are encrypted.
Your files were encrypted with a AES-256 \ RSA-4096 combination. The combination is cryptographically secure and cannot be cracked. There are no flaws in the encryption method, and original file contents were wiped forever.
To recover your files and return to normal, please, look for the files with viagra in their filenames, and, look for their contents, there will be instructions.
Do it as fast as possible, time will not stand still.
VIAGRA Ransomware goes even further - it logs the users out from all of the system accounts. On the next log in, the victims are greeted by a message from the malware:

[USER NAME], your files are encrypted. Look for README-VIAGRA-[RANDOM STRING].HTML in every folder, for instructions on how to get your files back.

The Ransom Note

In another deviation for what is considered the norm for ransomware development, VIAGRA Ransomware forgoes the creation of a ".txt" file for its ransom note and instead creates a ".HTML" file containing the instructions for the victim in every folder with encrypted files. The name of the HTML file may be a variation of README-VIAGRA-[RANDOM STRING].HTML or Help Viagra Ransomware.html. The full text of the note is:

YOU BECAME VICTIM OF THE VIAGRA RANSOMWARE!
What happened to my files?
Your files were encrypted with AES-256 and RSA-4096. This combination is cryptographically secure and cannot be cracked. There are no flaws in the encryption method. Tools like Recuva, or Shadow Copies will fail as soon as they are launched. But, your hope is not to lose. Every file with the ".E3m7" extension was encrypted (you can verify by yourself that, just, go into your user profile folders, for example, or, into your connected drives).
How do I decrypt my files?
To decrypt your files, you will need to pay a certain amount of money to us, in an anonymous manner.
First step, is to create an Bitcoin account (if you don't have one), use the following URL:
Crypto Runner guide.
InvestoPedia guide.
Send a payment to the following BitCoin address of 0.4 BTC ~ 403.60 USD, and keep the transaction / payment ID:
1Bqca3tn3Yco6SftgHeyYQUxqb2MPtwFBj
After, contact one of the following e-mail addresses present below. If you do not get a reply from one, send to the other one, until you get a reply (this happens in less than 24 hours, in normal conditions); check also your spam folder. Use your real E-mail address, and use the subject "Decryption"; add as attached file this HTML document, and add to the body the payment ID. We do not give decryption for test service, so, don't request for free decryption on the e-mail. We will tell the rest of istructions after the e-mail was sent.
Do what you're told. Don't try to swear on us, or we will block you and your ID forever. Don't try to fool us into using 10MinuteMail or similar services,
use them for later.
E-mail addresses:
First address ("youngthug412")
First address ("hparrockneverstop")
After decryption, your E-mail address and your ID will be wiped off our servers, don't fear for your life.
Is there a time limit?
Yes, three months from now (day, month, year;). Date was added to the ID, and is not removable from it (will make us ignore you forever). Be quick to pay, after 1,5 months from now, the price will be raised of the 50%, and, after three months, your ID will be blocked, that will happen also to your real e-mail address.
-- N***a livin life like vulcano and this only the beginnin' --
ID:

In an attempt to scare the victim into paying the demanded money, the creators of VIAGRA Ransomware state that after a month and a half the sum they want will increase by 50%, while after 3 months they will block the victim's ID and won’t accept any amount of money for potential decryption.

Dealing with a VIAGRA Ransomware Attack

If your computer system has been locked by VIAGRA Ransomware, or any of the myriad of other ransomware threats, paying the criminals is definitely NOT the best course of action. There is no guarantee that criminals will be able to deliver a decryption tool that can successfully restore the locked files, not to mention that they may simply take the money and move on to create their next malware threat. Instead, victims should use a legitimate anti-malware software to clean the compromised computers before attempting to restore the encrypted data from a previously created backup that has been kept disconnected from the network.