Woodrat Ransomware

The Woodrat Ransomware is a unique crypto locker that has not been associated with any of the pre-existing malware families. The Woodrat Ransomware can be considered to be geared primarily against targets located in China, judging by the fact that the ransom note includes a Chinese translation. However, there is also an English version of the text so that the Woodrat Ransomware could infect international users.

The threat operates as typical ransomware -the Woodrat Ransomware encrypted the most widely-used filetypes with a cryptographical algorithm and demands a ransom in exchange for their restoration. It appends '.woodrat' as a new extension to the name of every encrypted file. After the encryption process has been completed, Woodrat drops the note containing instructions for victims in the form of a text file named 'LOCKED_README.txt.'

The criminals provide a rather detailed list of what could be considered rather strict demands. Affected users are told to initiate communication by sending an email to the 'woodratofficial@outlook.com' address. The email must contain the specific ID and BIT Key assigned to the victim, both of which can be found inside the 'LOCKED_README.txt' file. In addition, the total number of encrypted files and the exact time that the encryption was completed also must be included. Then, affected users are given a choice; they can send the demanded amount immediately or wait for a response from the hackers. Up to four files that should not exceed a total size of 4MB can be attached to be decrypted for free. As for the ransom payment itself, it must be made using the Monero (XMR) cryptocurrency. The specific amount depends on the time it took the victims to establish contact. The sums range from 1.5 XMR if the infection occurred 1-3 days ago to 3 XMR for 3-to-7 days, and finally, 10 XMR if a month has passed. At the current exchange Monero rate, 1.5 XMR is equal to approximately $170, while 10 XMR is over $1100. It should be observed that the criminals behind the Woodrat Ransomware threaten that all of the encrypted data will become lost forever if more than a month passes without payment.

The full text of the ransom note dropped by Woodrat Ransowmare is:

'Ooops, all your files are encrypted, that means you can't use them for a while!!!

They are not perpmanently lost, for there's a special key to get them back.You can try all the ways you have to decrypted your files, but it's just a waste of time, eventually you will know there's no other way but to contact us for help.

With our help, you could get your files back within a hour, but you need to follow the instructions below :

[1] Send an email to the addr below :

woodratofficial@outlook.com

[2] with content of :

*1 your "ID" & "BIT KEY" located in "LOCKED_README.txt"

*2 The amount of files encrypted and the finish time(I have ways to figure out the finish time, so think twice)

[3] Then, there's two choices :

*1 [recommended] pay us immediately, so we'll help you decrypt as soon as the payment was conformed

*2 wait for our reply(need a lot of time)

* the first method was recommended for you have limited amount of time

* if you'd like to test some files, you can send them to us via mail,but here's the limtation :

* quantity <= 4 and total file size <= 4mb

[*] send xmr to the addr below :

41k9ry6hQUZLJJd9ZEJpPVXNuUVjRNJGkPbroMf XJVf6DsqHfJ6Sro2LHJzr6wuvXwE5kS7c9Azni2F8srmGScU5Fzu9P2C

more detail about xmr purchasing, visit hxxps://www.getmonero.org/ or just use search engine for 'buy xmr'

if you have future questions, it's welcome to send us a mail

[*] here's the price, notice : you only have limited amount of time

=====================================================

= encrypted in 1-3 days - 1.5 xmr to get decrypt =

= encrypted in 3-7 days - 3 xmr to get decrypt =

= encrypted in a month - 10 xmr to get decrypt =

= encrypted over a month - never get decrypt =

=====================================================

哎呀，你所有文件都已加密，这意味着您暂时不能使用它们！！！

它们不会永久丢失，因为有一个特殊的钥匙可以将它们取回。

您可以尝试所有方法来解密文件，但这只是浪费时间，

最终，您将知道别无选择，只能与我们联系以寻求帮助。

在我们的帮助下，您可以在一小时内取回文件，但是您需要按照以下说明进行操作：

[1]向下面的地址发送电子邮件：

woodratofficial@outlook.com

[2]的内容为：

* 1您的 "ID" 和 "BIT KEY" "LOCKED_README.txt"

* 2加密文件的数量和完成时间（我有办法计算出完成时间，所以请三思）

[3]然后，有两个选择：

* 1 [推荐]立即付款给我们，因此我们会在付款成功后帮助您解密

* 2 等待我们的回复（需要很多时间）

* 建议您在时间有限的情况下使用第一种方法

* 如果您想测试某些文件，可以通过邮件将其发送给我们，但这是限制条件：

* 数量<= 4，文件总大小<= 4mb

[*] 将xmr发送到以下地址：

41k9ry6hQUZLJJd9ZEJpPVXNuUVjRNJGkPbroMf XJVf6DsqHfJ6Sro2LHJzr6wuvXwE5kS7c9Azni2F8srmGScU5Fzu9P2C

有关xmr购买的更多详细信息，请访问hxxps://www.getmonero.org/或仅将搜索引擎用于'购买xmr'

如果您将来有疑问，欢迎给我们发送邮件！

[*]这是价格，请注意：您只有有限的时间

====================================

= 在1-3天内加密 -1.5 xmr以获取解密 =

= 在3-7天内加密 -3 xmr以获取解密 =

= 每月加密 -10 xmr以获取解密 =

= 加密一个月 -永不解密 =

====================================

ID : -

========start BIT KEY========

-

========end BIT KEY========'

No matter the size of the ransom, experts always recommend against paying it. Cybercriminals are not known for their fairness. They may – and often do – ignore how their victims feel about their situation. Even if they receive the payment, there is no guarantee that they will deliver the key they promise. Paying the ransom rarely yields positive results for the victim, meaning you lose your money on top of your data.

We advise against contacting the criminals at all. Given that there is no public decryption method for WoodRat ransomware, your best bet is restoring files from a data backup.

Keep in mind that the internet is riddled with threats like WoodRat ransomware. Many malicious programs encrypt information and demand payment from victims—the main differences between the variations in the encryption algorithm and ransom demand.

As long as ransomware continues to be developed, there will always be a need to create data backups to keep your essential data safe. We recommend storing a backup of your data on an external device or the cloud—the more backups of the data you have, the better. Give yourself as many chances to restore your data as possible to stay safe.

How Does Ransomware Infect Computers?

Ransomware and other malware have several ways to get on your computer. The four main infection vectors are;

• Integrating with third-party software and freeware
• Spam email attachments and links
• Free-hosting providers
• Pirated software and other peer-to-peer downloads

You may run into WoodRat disguised as a genuine piece of software, such as through a pop-up advertising a critical software update. This is one of the most common ways that fraudsters trick victims into downloading malware such as WoodRat. They trick users into manually downloading and installing it themselves.

Another popular method is to use malspam emails. Criminals send unsolicited emails written to appear genuine. The emails claim to come from an official source, such as a shipping company. They are written to trick users into either accessing a malicious link that installs the virus on their computer, or downloading and running a file attachment that does the same.

Opening such a file or clicking on such a link can do a lot of damage to your computer. Fake software updates such as counterfeit Flash Player updates can infect your computer with WoodRat ransomware. Illegally downloaded software cracks can also install malicious programs instead of – or as well as – activating the software. Another popular infection method is the use of trojan downloads and chain infections. These small viruses have bigger payloads concealed within. They get on your computer and, once inside, install more malicious programs quietly without alerting antivirus software.