The Vohuk Ransomware is a malware threat that can devastate the data on the computers it infects. By running an encryption routine, the threat will effectively lock the victim's documents, PDFs, images, photos, archives, databases and other file types. The names of the impacted files will be changed completely. The threat will create a random string of characters for the name of each encrypted file, followed by '.Vohuk' as a new file extension.
Victims will be left with two ransom notes. A very brief message will be displayed in an image that the threat will place as a new desktop background. The instructions there simply direct victims toward opening the main ransom note dropped on the system as a text file named 'README.txt.'
The ransom note inside the text file reveals that the operators of the Vohuk Ransomware run a double-extortion operation. The note claims that sensitive data has been collected from the infected systems before the encryption of the files. If the affected organizations refuse to pay the demanded ransom, their data will supposedly be leaked on hacker forums. The threat actors state that they are willing to decrypt two files that do not exceed 2MB in total size, as a demonstration. Victims can contact them via the two email addresses found in the note - 'email@example.com' and 'firstname.lastname@example.org.'
The full text of the message dropped by the Vohuk Ransomware as a text file reads:
'[~] Vohuk Ransomware V1.3
ALL YOUR FILES ARE STOLEN AND ENCRYPTED.
To recovery your data and not to allow data leakage, it is possible only through purchase of a private key from us.
We are not a politically motivated group and we do not need anything other than your money.
Before paying you can send us up to 2 files for free decryption.
The total size of files must be less than 2MB(non archived).
files should not contain valuable information. (databases, backups, large excel sheets, etc.)
Please write an email to both: email@example.com & firstname.lastname@example.org
Write this Unique-ID in the title of your message: -
Do not delete or rename or modify encrypted files.
Do not try to decrypt using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
We use strong encryption, nobody can restore your files except us.
The price depends on how fast you contact with us.
remember to hurry up, as your email address may not be available for very long.
All your stolen data will be loaded into cybercriminal forums/blogs if you do not pay ransom.
If you do not pay the ransom we will attack your company repeatedly again.'
The desktop background image shows the following message:
All your files are stolen and encrypted!
Please find README.txt file and follow the instruction!'