WCH Ransomware

Security researchers have uncovered a new data-encrypting Trojan in the wild. The name of this threat is WCH Ransomware. Upon studying the WCH Ransomware, experts found that it has striking similarities with the infamous Dharma Ransomware. This means that the WCH Ransomware belongs to the Dharma Ransomware family.

Propagation and Encryption

The WCH Ransomware may be distributed via phishing emails. Such spam email campaigns propagate compromised attachments or promote corrupted links. Authors of ransomware threats also use malvertising, fake pirated variants of popular applications, torrent trackers, bogus software updates and downloads as distribution methods. Upon infecting a targeted PC, the WCH Ransomware performs a scan designed to locate the files present on the infected computer. The WCH Ransomware goes after a wide variety of filetypes such as .mp3, .mp4, .mov, .png, .jpeg, .jpg, .gif, .ppt, .pptx, .xls, .xlsx, .pdf, .doc, .docx, etc. The files encrypted by the WCH Ransomware will have changed names, as this threat adds  '.[wecanhelpu@tuta.io].wch' to their names. This means that a file named 'blood-orange.ppt' will be renamed to 'blood-orange.ppt.[wecanhelpu@tuta.io].wch.'

The Ransom Note

Next, the WCH Ransomware will drop a ransom message on the user's system. The attackers' message can be found in a file called 'FILES ENCRYPTED.txt.' The ransom note is very brief, and the attackers do not specify what the ransom sum is. However, they provide an email address where the user can contact them – ‘wecanhelpu@tuta.io.' The authors of the WCH Ransomware provide a link to a Tor-based website.

Sadly, there is no free decryption tool that is available publicly yet. However, it is never advisable to contact cyber crooks, as they may promise to provide you with a decryption key if you pay, but it is highly likely that they will not hold their promise. This is why you should consider obtaining a genuine, up-to-date anti-virus software suite, which will eradicate the WCH Ransomware from your system.