Wise Ransomware Description
Criminals use the Wise Ransomware, an encryption ransomware Trojan, to take the victims' files hostage. To do this, the Wise Ransomware claims to use a strong encryption algorithm to make the victim's files inaccessible. However, the Wise Ransomware, unlike most encryption ransomware Trojans that use this tactic, simply deletes the victim's files permanently, pretending that they can be recovered. The Wise Ransomware is being distributed in two ways. The first one is by taking advantage of poor passwords on Remote Desktop accounts and the second is through corrupted spam email attachments.
How the Wise Ransomware Carries Out Its Attack
The criminals responsible for the Wise Ransomware will take advantage of vulnerabilities in the victim's computer or their security to install the Wise Ransomware on the targeted PC. Once the Wise Ransomware has been installed, the Wise Ransomware will scan all local drives and network drives for the user-generated files. The Wise Ransomware and threats of this kind target files with the following file extensions in their attacks:
.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.
The Wise Ransomware will delete these files from the victim's computer completely after searching for these file types. Other encryption ransomware Trojans will use the AES or RSA encryptions to make the files inaccessible. Once the victim's files have been deleted, the Wise Ransomware will deliver a ransom note, claiming that the files can be recovered. The Wise Ransomware targets the user-generated files and avoids Windows system files because the criminals are looking to monetize their attack, and require the victims to b still able to use their computers to make a payment and contact the criminals (which would not be possible if the victim's operating system is not working anymore).
The Wise Ransomware's Ransom Note
The Wise Ransomware delivers its ransom message in an HTA program window. This window is displayed on the victim's computer as a simple message on a black background. The window is titled 'OPS' and exhibits the following message to the victim:
all your files are encrypted or deleted.To get the decryption key enter in the following teamspeak 3 server ---> surrent.ts5.es'
The criminals attempt to convince the victim to contact them using TeamSpeak. The main recommendation from malware researchers in the case of a ransomware infection is not to contact the criminals or attempt to pay any ransom. While, in most cases, the criminals have no intention of helping the victim recover the files (even if they have the encryption key needed to restore the encrypted files), in this case, there is no way to restore the files deleted from the targeted computer.
Dealing with the Wise Ransomware
The best course of action is to recover your files from file backups. Because of this, file backups are the best protection against threats like the Wise Ransomware. Having copies of your files stored on safe locations means that you can restore the compromised files after removing the Wise Ransomware with a security program.