WORM Ransomware
A new threat classified as ransomware has been detected in the wild. Named the WORM Ransomware, it aims to lock multiple file types with an uncrackable encryption algorithm. Victims will then be unable to access any of the affected data losing a large portion of their personal or business-related files effectively.
Analysis of the WORM Ransomware shows that the threat is variant from the Dharma Ransomware family. As such, it follows the typical Dharma behavior rather closely. The threat generates a specific ID string for the compromised device and attaches it to the original names of all encrypted files. It then appends an email under the control of the hackers followed by its unique file extension. In this case, the email address is 'psworm@keemail.me' and the file extension is '.WORM.'
Finally, the threat will deliver two ransomware notes. One will be placed inside a newly created file named 'WORM_MANUAL.txt.' The other will be displayed on the screen of the infected system as a pop-up window.
WORM Ransomware's Demands
Opening the text file reveals a very brief set of instructions. The message inside simply directs users to establish contact with the attackers by messaging the two provided email addresses - 'psworm@keemail.me' or 'psworm@onionmail.org.'
The proper ransom note is presented in the pop-up window. It clarifies that the main email is the one found in the names of the encrypted files. The secondary address should be used only if 24 hours pass without users receiving an answer from the hackers. The second half of the note is taken up by a multitude of warnings. WORM warns its victims that changing the names of the locked files or trying to unlock them with third-party software tools could cause irreparable damage.
The full text of the ransom note is:
'WORM TEAM
YOUR FILES ARE ENCRYPTED
Don't worry, you can return all your files!
If you want to restore them, write to the mail: psworm@keemail.me YOUR ID -
If you have not answered by mail within 24 hours, write to us by another mail:psworm@onionmail.orgATTENTION
WORM TEAM does not recommend contacting agent to help decode the data
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.The message delivered via text file is:
All your data has been locked us
You want to return?
write email psworm@keemail.me or psworm@onionmail.org.'
