YUFL Ransomware
The YUFL Ransomware is a potent crypto locker malware that aims to sneak onto the victims' computers and lock them out from using it. The malware achieves this by running an encryption procedure, employing powerful cryptographic algorithms on nearly all of the compromised device files. The hackers will then extort the affected users by demanding to be paid a certain amount of money, using a specific cryptocurrency. After getting the ransom, the criminals promise to send their victims a decryptor program that may potentially restore the encrypted files.
The YUFL Ransomware is not a unique threat; on the contrary, it belongs to one of the most prolific families called the Dharma Ransomware, which spawns new crypto locker malware nearly daily. The hackers behind the YUFL Ransomware have only substituted the default email addresses and the threat's extension. All of the other aspects can be found in the rest of the Dharma Ransomware variants.
When the YUFL Ransomware finishes with a file's encryption, it then proceeds to change the original filename significantly. The threat appends a string of random characters representing the ID of the specific victim, followed by one of the hackers' email addresses - 'yourfiles1@tuta.io,' in this case, and finally '.YUFL' as a new extension. The criminals provide instructions for the affected victims, both as text files dropped in every folder containing encrypted data and as a pop-up window. The text files are named 'FILES ENCRYPTED.txt.'
The text files are brief extremely, simply telling the YUFL Ransomware victims to contact either the aforementioned 'yourfiles1@tuta.io' email address or the secondary one at 'yourfiles1@cock.li.' The set of instructions displayed in the pop-up window is lengthier, but it mostly includes various warnings such as the affected users not changing the names of the encrypted files or using any third-party decryptor tools.
The full text of the message found in the 'FILES ENCRYPTED.txt' files is:
'all your data has been locked us
You want to return?
write email yourfiles1@tuta.io or yourfiles1@cock.li'
The ransom note from the pop-up window is:
'YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email yourfiles1@tuta.io YOUR ID C279F237
If you have not been answered via the link within 12 hours, write to us by email:yourfiles1@cock.li
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a tactic.'
