'.WHY File Extension' Ransomware

The '.WHY File Extension' Ransomware is a generic file cryptor that is developed and operated by cybercriminals who are looking to extort money from compromised users. The '.WHY File Extension' Ransomware is based on the STOP Ransomware from February 2018. The new version is named after the most obvious change in the threat that is the new file marker '.WHY.' The '.WHY File Extension' Ransomware was reported on August 21st, 2018 and appears to arrive on computers via spam emails that include a corrupted text file. The '.WHY File Extension' Ransomware is programmed to delete the Shadow Volume snapshots in Windows and encipher data using a personalized AES cipher. The targeted data encompasses photos, music records, office documents, video, eBook libraries and databases. The files on the local disks are overwritten with their encrypted counterparts, and a ransom note is dropped to the desktop. We have seen the '.WHY File Extension' Ransomware present the ransom message as '!!!WHY_MY_FILES_NOT_OPEN!!!.txt,' which reads:

'Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .WHY
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail BM-2cUm1HG5NFf9fYMhPzLhjoBdXqde26iBm2@bitmessage.ch send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600.
This price avaliable if you contact us first 72 hours.
E-mail address to contact us:
BM-2cUm1HG5NFf9fYMhPzLhjoBdXqde26iBm2@bitmessage.ch
Reserve e-mail address to contact us:
decryptionwhy@india.com
Your personal id:
[40 random characters]'

As mentioned above, the encrypted files carry the '.WHY' suffix and something like 'Lele Pons-Celoso.mp3' is renamed to 'Lele Pons-Celoso.mp3.WHY.' The infected machines should remain operational perfectly, but the user's content is rendered inaccessible. The threat actors may use accounts like 'decryptionwhy@india.com' and 'BM-2cUm1HG5NFf9fYMhPzLhjoBdXqde26iBm2@bitmessage.ch' to offer decryption services in exchange for $350 and more in Bitcoin. The '.WHY File Extension' Ransomware uses the same encryption standards as the KEYPASS Ransomware, and it is impossible to recover the encrypted data with the proper key and decoder. It is recommended to remove the '.WHY File Extension' Ransomware with the help of a credible anti-malware tool and use backup managers to rebuild your files structure safely.