Again Ransomware


A new ransomware strain has been spotted in the wild. The new version is called the Again ransomware and appears to be based on Babuk ransomware code.

The Again ransomware will encrypt files on the system it is deployed on. The encrypted files will become unreadable and will be renamed to include the ".again" extension. This means a file that was formerly named "document.txt" will turn into "document.txt.again" once encryption is over.

Affected file types include non-Windows executables, documents, archives and media files.

The ransom note is deposited inside a plain text file named "How To Restore Your Files.txt". The contents of the text file are very brief and go as follows:


To contact visit website hxxp://[onion address string].onion, your chat token: [alphanumeric string]

Hitting the Tor address included brings up a Tor page that has a message box and a "Send Message" button on it, obviously intended as the only line of contact to the ransomware's operators. Of course, negotiating with criminals is never a great idea and you would be better off restoring your files from offline backups.

July 11, 2022