Demon Ransomware Uses Terse Ransom Note


Demon ransomware is the name of a newly discovered ransomware variant. While there is no hard evidence that it belongs to any bigger ransomware family, some antivirus products are detecting it as a variant of the Babuk family, which means it may be using chunks of Babuk code.

Demon works predictably, encrypting the victim system and leaving most files on it in an unopenable state. Once the ransomware encrypts a file, it appends the ".demon" extension to it. This process will turn a file named "document.doc" into "document.doc.demon" once it has been fully encrypted.

The encryption process will affect most file types and extensions, including document, media, archive and database files.

The ransomware deposits its ransom note inside a plain text file with the name "How To Recover Your Files.txt". The full contents of the ransom note are as follows:

Don't worry my friend, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

Price of private key and decrypt software is 1.5 BTC.

Wallet address: [alphanumeric string]

To get this software you need write on our e-mail: demonInfo at protonmail dot com

Reserve e-mail address to contact us: demonInfo at protonmail dot com

September 14, 2022