Whatafuck Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 560 |
First Seen: | June 1, 2017 |
Last Seen: | July 20, 2020 |
OS(es) Affected: | Windows |
The Whatafuck Ransomware is a ransomware Trojan that is designed to encrypt its victims' data, making it inaccessible, and then demanding the payment of a large ransom to restore the affected files. The Whatafuck Ransomware takes its victims' data hostage until the victims pay a ransom, a typical attack used by most encryption ransomware Trojans. PC security analysts first received reports of the Whatafuck Ransomware infections in May of 2017. The Whatafuck Ransomware seems to be an independent ransomware infection, not part of a larger family of ransomware or a RaaS (Ransomware as a Service) family. The Whatafuck Ransomware attacks seem to be centered in Russia and Russian speaking countries. However, the Internet has no borders, and computers users outside of Russia are equally likely to become infected with the Whatafuck Ransomware since it may promote similar attacks in other countries. The most common way in which the Whatafuck Ransomware is being distributed to victims is through corrupted email attachments that use corrupted macros to download and install the Whatafuck Ransomware onto the victim's computer.
How a Whatafuck Ransomware Infection Works
The Whatafuck Ransomware receives its name because the ransom note this threat uses is contained in a text file named 'WHATAFUCK.txt,' which is dropped on the infected computer's desktop. This note contains a very short message, written in Russian, which translates to:
'To decrypt write to helppppppp@meta.ua'
The Whatafuck Ransomware uses a combination of the RSA and AES encryption algorithms to make the victims' files unusable completely. Once the Whatafuck Ransomware has encrypted the victims' files, it demands that the victim contacts the con artists at the email address contained in its ransom message. PC security researchers reported that the people responsible for the Whatafuck Ransomware attack had demanded ransoms ranging from 1000 Rubles ($18 USD) to 6000 Rubles (approximately $110 USD). The files encrypted by the Whatafuck Ransomware attack can be identified easily because the Whatafuck Ransomware will add the file extension '.+++helppppppp@meta.ua' to each file encrypted in the attack. The Whatafuck Ransomware will target a wide variety of file types with its encryption algorithm, typically looking for user-generated files such as videos, music, and Microsoft Office documents. The following are some of the file formats the Whatafuck Ransomware will target in its attack:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
Dealing with a Whatafuck Ransomware Infection
Unfortunately, it may not be possible to recover files that have been encrypted by the Whatafuck Ransomware currently. However, computer users should refrain from contacting these con artists or paying any ransom. The people responsible for these attacks may ignore the victims' payments or even demand more money. Furthermore, paying the Whatafuck Ransomware ransom simply allows con artists to continue creating these threats and claiming more victims. Instead of paying the Whatafuck Ransomware ransom, take preventive measures to ensure that you can recover from an attack in the future. The best protection against the Whatafuck Ransomware and similar threats is to have backup copies of your files. Having the ability to restore the files from a backup is the best protection against the Whatafuck Ransomware and other ransomware Trojans because it completely removes any power from the con artists, preventing them from holding the victim's files hostage. A reliable security program that is fully up- to-date also should be used to intercept the Whatafuck Ransomware and other threats.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.