VIAM Ransomware

So far, the VIAM Ransomware has not been attributed to any preexisting malware family. Although this means that the threat is fairly unique, it still acts as a typical malware of the ransomware type. It aims to sneak itself onto users' computers, deploy an encryption routine that locks all of the victim's files effectively and renders them unusable, and then demands payment of a ransom for the potential restoration of the data.

In the VIAM Ransomware's case, the feature that distinguishes it the most from the other similar threats is the unique extension it appends to the original name of every encrypted file - '.viamwasted.' Another aspect of VIAM that is not seen commonly is the fact that it creates a separate ransom note-carrying file for each file it has encrypted. The name of the text files is created by taking the modified name of the encrypted file it corresponds to, followed by '_info.' The instructions in all the files created in this way are the same.

Opening the ransom note reveals that the hackers provide very little useful details. They simply state that the victim's network has been penetrated, files have been encrypted with a strong algorithm and that backups have been either encrypted or deleted. Affected users are supposed to ask for additional information on how to restore their data by initiating communication through the two provided email addresses - '43780@PROTONMAIL.CH' and '18002@AIRMAIL.CC.'

The full text of the instructions delivered by the VIAM Ransomware is:

'VIAM.

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorythm.

Backups were either encrypted or deleted.

Do not rename or move the encrypted files.

To get the files back contact us at: 43780@PROTONMAIL.CH or 18002@AIRMAIL.CC

Store the encryption key:'