Devices infected by the Zxcvb Ransomware threat will be subjected to data encryption. Indeed, affected users or companies will no longer be able to access the documents, PDFs, images, archives, databases, etc., stored on any of the breached devices. The goal of the threat actors is to then use the locked data as leverage to extort money from their victims. The behavior and code of the Zxcvb Ransomware reveal that it is a variant belonging to the Dharma malware family.
In a typical Dharma fashion, whenever Zxcvb encrypts a file, it will also change that file's name. The threat will first add an ID string generated specifically for the victim. Next, an email address ('firstname.lastname@example.org') will be attached. Finally, the file will receive '.zxcvb' as a new extension. The ransom note of the threat will then be delivered to the infected system in two different forms. The main message will be displayed in a pop-up window, while a far shorter note will be dropped as a text file named 'FILES ENCRYPTED.txt.'
Both messages state that the encrypted data can be restored, but victims will first need to contact the attackers. The exact amount of the ransom that they will need to pay is not mentioned. However, the hackers leave a secondary email address that could be used for communication at 'email@example.com.'
The instructions shown in the pop-up window are:
'YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email firstname.lastname@example.org YOUR ID -
If you have not been answered via the link within 12 hours, write to us by e-mail:email@example.com
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The message dropped as a text file is:
all your data has been locked us
You want to return?
write email firstname.lastname@example.org or email@example.com'