Work Ransomware
The Work Ransomware is an encryption ransomware Trojan that was first observed on December 15, 2017. The Work Ransomware is being delivered to victims of the attack through corrupted email attachments in the form of Microsoft Office documents with corrupted macro scripts enabled. Learning to recognize these tactics is an essential part of avoiding threat attacks like the Work Ransomware.
There's nothing New on the Work Ransomware Attack
The Work Ransomware has numerous variants. Ransomware Trojans like the Work Ransomware use the same tactic to make the victim's files inaccessible with the purpose of demanding a ransom payment in exchange for a decryption key necessary to restore the affected files. The Work Ransomware uses this tactic and does not differ from most ransomware Trojans except in superficial aspects such as how it communicates with its Command and Control servers and the specific email addresses associated with the Work Ransomware attack. The Work Ransomware is designed to compromise the victim's files using a strong encryption algorithm in its infection process. The Work Ransomware targets the user-generated files, which include videos, music, photos, and numerous file types, while avoiding the Windows system files. The Work Ransomware and other ransomware Trojans will target numerous files types in these infections, which include:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The files encrypted by the Work Ransomware attack can be recognized easily because the Work Ransomware will rename the files with 32 random characters. The Work Ransomware also will add the file extension '.WORK' to the end of each affected file's name. Once a file has been encrypted, Windows Explorer will no longer recognize its type, and it will show up on Windows Explorer as a generic blank icon.
How the Cybercrooks Use the Work Ransomware to Make Money
The Work Ransomware demands a ransom payment in exchange for the decryption key or program needed to restore the victim's files. The Work Ransomware delivers a ransom note in the form of a text file that is dropped on the infected computer's desktop. The Work Ransomware's ransom note, named '_HELP_INSTRUCTION.TXT,' contains the following text:
'Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
worknow@keemail.me
worknow@protonmail.com
worknow8@yandex.com
worknow9@yandex.com
worknow@techie.com
Please send email to all email addresses! We will help You as soon as possible!
IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!'
Computer users should ignore the Work Ransomware ransom note and refrain from contacting the people responsible for the Work Ransomware attack. Instead of following the instructions in the Work Ransomware's ransom note, computer users should restore their files from a backup copy. File backups mean that computer users can restore their files relatively easily without having to pay the Work Ransomware ransom. In fact, having file backups is the best protection against ransomware Trojans like the Work Ransomware, and combined with the use of a trustworthy security program that is fully up-to-date, can protect victims' data from these attacks completely.
