Zasifrovano Zaplat Ransomware
The Zasifrovano Zaplat Ransomware is a ransomware threat that can be categorized as part of the growing Xorist family of ransomware threats. Apparently, it also is created to target users located in the Czech Republic, judging by the language of the ransom notes dropped by the threat. When the Zasifrovano Zaplat Ransomware compromises a computer, it proceeds to encrypt the most widely used file types stored on it. Users will be prevented from accessing their own private or business files effectively. The ransomware threat will append '.zasifrovano zaplat' to the end of every encrypted file's original filename. The ransom note is dropped both as a text file created in every folder containing locked data and as a pop-up window. The name of the text file is 'HOW TO DECRYPT FILES.txt.'
Translating the ransom note reveals that the hackers attempt to scare their victims further. They state that the ransomware got installed on the computer due to a visit to a porn website and that after accessing the computer's webcam, they now possess an incriminating video. If the criminals' demands are not met, the video will be sent to all email, Viber, WhatsApp, and Facebook contacts of the victim. So what exactly do the hackers want? To be paid the sum of 0.0356 BTC, that should be sent no later than 72 hours since the Zasifrovano Zaplat Ransomware infection began. As Bitcoin's price fluctuates considerably, the criminals provide their own exchange rate of 1 BTC = 118 000 CZK (around $5100).
The original text of the Zasifrovano Zaplat Ransomware's note:
'Ahoj, Naposledy jste navštívili Porno stránky s dospívajícími, stáhli jste a nainstalovali software, který jsem vytvoøil. Mùj program zapnul fotoaparát a zaznamenal proces vaší ?asturbace. Mùj software také popadl všechny vaše e-mailové seznamy kontaktù a seznam vašich pøátel na Facebooku,Skypu,Whatsapp,Viber. Mám - - s vámi ?asturbuje na teenageøi, stejnì jako soubor se všemi kontakty na mém poèítaèi. Jste velmi zvrhlí! Pokud chcete, abych odstranil oba soubory a uchoval tajemství, musíte mi poslat platbu Bitcoinem. Dávám vám 72 hodin na platbu. Pokud nevíte, jak s Bitcoinem platit, hxxps://client.simplecoin.eu/cs. Pøeneste 9000 CZK (0,0356 BTC) na tuto adresu Bitcoin co nejdøíve: 1i7A52rNThnnFpxVsBCzAwW6z4G55Q5Rg (kopírování a vkládání) 1 BTC = 118.000 CZK právì teï, takže odešlete pøesnì 0,0356 BTC na výše uvedenou adresu. Nesnaž se mì podvádìt! Jakmile otevøete tento e-mail, budu vìdìt, že jste jej otevøeli. Sleduji všechny akce ve vašem zaøízení.72hodin.'
The translated version is:
'Hi, The last time you visited a Teen Porn Site, you downloaded and installed software that I created. My program turned on the camera and recorded the process of your asturbation. My software also grabbed all your email contact lists and your friends list on Facebook, Skype, Whatsapp, Viber. I have - - with you - masturbating on a teenager, as well as a file with all the contacts on my computer. You are very perverted! If you want me to delete both files and keep them a secret, you have to send me a payment by Bitcoin. I give you 72 hours to pay. If you don't know how to pay with Bitcoin, hxxps://client.simplecoin.eu/cs. Transfer 9000 CZK (0.0356 BTC) to this Bitcoin address as soon as possible: 1i7A52rNThnnFpxVsBCzAwW6z4G55Q5Rg (copy and paste) 1 BTC = 118.000 CZK right now, so send exactly 0.0356 BTC to the above address. Don't try to cheat on me! Once you open this email, I'll know you opened it. I watch all the actions on your device.72 hours.'
The ransom note claims that the virus was installed while the victim watched pornography. The message claims the criminals accessed the user’s webcam and recorded compromising videos of them. They promise to delete the video if the payment is sent within 72 hours; otherwise, they will send the video to friends and family of the victim.
This approach is a little different from the standard ransomware approach. In general, ransomware attackers sell victims a decryptor that gives them access to their files again. Zasifrovano Zaplat uses a sextortion tactic.
Please note that the claim is a complete fabrication. The attackers do not possess any such videos of you, and they won’t be able to send them to people you know. The threat is an empty one, designed to scare you into paying the ransom. You should never pay the ransom demands of cybercriminals in any situation. Doing so only encourages them to keep targeting other people, and it is no guarantee that you will get your data back. The good news is that the virus appears to be made with a broken version of Xorist. It may be possible to restore your data using the free Xorist Decryptor tool. If not, then you’ll need to restore your data using a backup.
Ensure that you remove the virus using an antivirus program before putting your files back on the computer. You wouldn’t want to get your data back only to have it encrypted right away again. Removing the virus should always be your first action. Unfortunately, the encrypted files stay encrypted even after you remove the virus, and this step isn’t enough to get them back.
How Does Zasifrovano Zaplat Infect Computers?
Despite what the ransom note claims, the virus didn’t get on your computer because you looked at porn. In fact, even people who never view explicit materials online can find themselves the victims of this virus. Like most other ransomware and malware, Zasifrovano Zaplat has three main infection methods;
The first of these methods is phishing emails. Phishing emails are a popular tactic used by threat actors. This method involves hackers sending emails en masse to mailing lists. The emails are written to appear as if they come from a legitimate source, such as a shipping company. The emails are written to entice people into reading them and interacting with them.
Phishing emails contain either a malicious link or a download. The download file is a Word file, Excel spreadsheet, Zip archive, or something similar. The email tells the reader that they need to download the attachment or follow the link to learn more about a missed package or failed payment. People are infected once they access the downloaded file or embedded link.
Another common distribution method is through payload files delivery. Hackers pack the source code for the virus inside another file and have people download it directly. These downloads are hidden on freeware websites and other dubious download channels. Microsoft Word and Excel files are the most common files used for this. The files contain macros that install the virus. Users are prompted to enable macros when they open the file, infecting themselves in the process. The code can also be hidden inside installer files. People download and install software from a freeware site without realizing they are downloading a virus.
