YOLO Ransomware

The YOLO Ransomware is an encryption ransomware Trojan that was first observed on January 31, 2019. The YOLO Ransomware is related to the Jigsaw family of ransomware Trojans and carries out an attack typical of this family of malware. The YOLO Ransomware is typically delivered to the victims through spam email messages and social engineering techniques and is designed to take the victims' data hostage to then demand a ransom payment.

How the YOLO Ransomware Attack Works

The YOLO Ransomware uses a strong encryption algorithm to make the victim's files inaccessible. The YOLO Ransomware targets the user-generated files, which may include a variety of media files, document types, databases, configuration files and other data containers. The YOLO Ransomware target the following files in the attacks:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The YOLO Ransomware attack changes the files by marking them with the file extension '.YOLO' added to the file's name. The YOLO Ransomware delivers a ransom note with the following text:

'Greeting and salutations, Blue Team.
Your personal files are deleting. Your company intellectual property is belonging to us now...
But, Red Team is not being so hearless. It will only happen if you don't pay ransom.
However we has encrypting so as not you can access them.
Every 10 minutes we are selects some of them to deleted permanently, therefore we cannot accessing them, either.
While Red Team is being merciful, Red Team is not without limiting patience.
We starts out slowness then increasing delted files every 10 minutes.
This is to be helping you with the decision to pay ransom and recover datas.
the next a few hundred, and a few thousand, and so on. You are getting the breeze, no?
If you are turning off your computer or closing window, when malware start next time we will 1000 files deleted as way of punishmenting you.
You wil be wanting malware to start next time, since only way that is capable to decrypting your personal datas for you.
Please be sending all payments to redteam@yolosecfamework.com'

Dealing with the YOLO Ransomware

Contacting the criminals or assigning any importance to the references to 'blue' and 'red' teams mentioned in the YOLO Ransomware's ransom note is something not recommended. As with most encryption ransomware Trojans, the most effective recovery means are to have backup copies of all data and to store these backups on not connected devices. A security program should be used to prevent the YOLO Ransomware from being installed or remove it (although this will not restore any encrypted data).