AttackFiles Ransomware Belongs to MedusaLocker Family

During our examination of new files, our research team came across the AttackFiles malicious program, which is associated with the MedusaLocker ransomware family. This type of software is crafted to encrypt files, demanding ransom for their decryption.

When we executed a sample of AttackFiles on our testing environment, it encrypted files and appended the ".attackfiles" extension to their names. For instance, a file named "1.jpg" would become "1.jpg.attackfiles", and "2.png" would turn into "2.png.attackfiles", and so forth.

Upon completing the encryption process, this ransomware generated a ransom note titled "How_to_back_files.html". The note refers to the infected system as a "company network," indicating that the targets are not individual home users. In the ransom message, AttackFiles claims that the victim's company network has been breached, files have been encrypted using RSA and AES cryptographic algorithms, and confidential and personal data has been pilfered.

To retrieve the encrypted files, the victim is instructed to pay a ransom. If the victim refuses to comply, the stolen content will be either leaked or sold. Before fulfilling the ransom demands, the decryption capability can be tested on 2-3 files for free. The note also cautions against actions that could result in permanent data loss.

AttackFiles Ransom Note in Full

The complete text of the AttackFiles ransom note reads as follows:

YOUR PERSONAL ID:

YOUR COMPANY NETWORK HAS BEEN PENETRATED
All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to solve your problem.

We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back.

Contact us for price and get decryption software.

email:
crypt2024_tm123@outlook.com
crypt2024_tm123@outlook.com

To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

How is Ransomware Usually Distributed Online?

Ransomware is typically distributed online through various methods, including:

Phishing Emails: Attackers send emails with malicious attachments or links, disguised as legitimate messages from trusted sources such as banks, shipping companies, or government agencies. Once the attachment is opened or the link clicked, the ransomware is downloaded onto the victim's system.

Malvertising: Malicious advertisements (malvertisements) on legitimate websites may contain scripts that redirect users to websites hosting ransomware or directly download ransomware onto the user's device without their knowledge.

Exploit Kits: These are prepackaged software packages that contain various exploits targeting vulnerabilities in outdated software or operating systems. When a user visits a compromised website, the exploit kit scans their system for vulnerabilities and delivers ransomware payloads.

Remote Desktop Protocol (RDP) Attacks: Attackers exploit weak or default passwords on RDP services to gain unauthorized access to systems. Once inside, they deploy ransomware directly onto the network.

Drive-by Downloads: This occurs when a user visits a compromised or malicious website, and malware is automatically downloaded and installed onto their system without their consent or knowledge.

Peer-to-Peer (P2P) File Sharing: Ransomware can be distributed through pirated software, games, or media files shared on P2P networks. Attackers may disguise ransomware as legitimate files to trick users into downloading and executing them.

Malicious Links in Chat Apps and Social Media: Attackers may distribute ransomware through links shared in chat applications or social media platforms, enticing users to click on them with enticing messages or offers.

Watering Hole Attacks: In this method, attackers compromise websites that are frequently visited by their target audience. When users visit these compromised sites, they are unknowingly exposed to ransomware.

These are just a few examples of how ransomware can be distributed online. Attackers are constantly evolving their tactics to bypass security measures and exploit vulnerabilities, making it crucial for users and organizations to stay vigilant and employ robust cybersecurity practices.