Ahui Ransomware Will Lock Your System

During our examination of malware samples, we encountered Ahui, a type of ransomware belonging to the Djvu family. Ahui functions by encrypting files and appending a new extension (".ahui") to their filenames, thereby preventing access. Additionally, it generates a ransom note called "_readme.txt" that serves as a communication tool.

To illustrate, Ahui alters file names in the following way: "1.jpg" becomes "1.jpg.ahui," "2.png" becomes "2.png.ahui," and so forth. It is worth noting that Djvu family ransomware often coexists with information-stealing malware such as Vidar and RedLine.

According to the ransom note, the victim's files, including images, databases, documents, and other critical data, have been encrypted using a powerful encryption algorithm and a unique key. The only means of recovering these files is by purchasing a decryption tool and acquiring the corresponding unique key. Allegedly, this software can decrypt all the encrypted files.

To instill a sense of confidence, the ransomware operators offer a guarantee. The victim is urged to send one encrypted file, which will be decrypted at no cost. However, this offer only applies to a single file that does not contain valuable information.

The cost of obtaining the private key and decryption software is specified as $980. Nevertheless, if the victim contacts the operators within the initial 72-hour period, a 50% discount is provided, reducing the price to $490. The note emphasizes that failing to make the payment will render data restoration impossible.

To acquire the decryption software, the victim is instructed to contact the attackers via email at support@freshmail.top. In case of any complications, an alternative email address, datarestorehelp@airmail.cc, is provided as a backup communication channel.

Table of Contents

Ahui Ransom Note Follows Standard Djvu Practices

The full text of the Ahui ransom note reads as follows:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-sLaQRb9N6e
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
support@freshmail.top

Reserve e-mail address to contact us:
datarestorehelp@airmail.cc

Your personal ID:

How Can Ransomware Like Ahui Infiltrate Your System?

The infiltration of ransomware like Ahui can occur through various methods. Here are some common ways ransomware can infect a system:

Email attachments: Ransomware operators may distribute malicious attachments through phishing emails. These emails often appear legitimate and may trick users into opening the attachment, which contains the ransomware payload. Once opened, the ransomware is executed, and the system becomes compromised.
Malicious links: Cybercriminals may also spread ransomware through deceptive links. These links can be present in emails, social media messages, or even on compromised websites. When users click on such links, they are directed to websites that host the ransomware, and the malicious code is downloaded and executed on their systems.
Exploit kits: Ransomware can exploit vulnerabilities in software or operating systems to gain unauthorized access to a system. Exploit kits are toolkits used by hackers to identify and exploit these vulnerabilities. By visiting compromised websites or clicking on malicious ads, users may unknowingly trigger the download and execution of the ransomware.
Malicious downloads: Illegitimate or pirated software, games, or media files available for download from untrustworthy sources can be bundled with ransomware. Users who download and install such files inadvertently introduce the ransomware into their systems.
Drive-by downloads: By exploiting vulnerabilities in web browsers or plugins, ransomware can be silently downloaded and installed when a user visits a compromised or malicious website. No interaction is required from the user, making it a stealthy method of infection.

It is crucial to implement strong security measures such as using up-to-date antivirus software, regularly applying software patches and updates, practicing safe browsing habits, being cautious with email attachments and links, and regularly backing up important data to minimize the risk of ransomware infiltration.