Capibara Ransomware Locks Infected Computers

During a review of new file samples, our research team discovered the Capibara ransomware. This malicious software functions by encrypting files in order to demand ransom payments.

After acquiring a sample of this malware, we ran it on our test system. We observed that files encrypted by this ransomware have their filenames altered with a ".capibara" extension. For instance, a file named "1.jpg" would display as "1.jpg.capibara", and "2.png" as "2.png.capibara", and so forth.

Upon completion of the encryption process, Capibara altered the desktop background and generated a text file named "READ_ME_USER.txt" containing a ransom note in Russian. The note tells the victim that their files have been scrambled and are now unreadable, and stresses that recovery is impossible without the involvement of the attackers.

The victim is instructed to purchase a decryption tool for 5000 Russian rubles using Bitcoin. However, the ransom amount specified in Bitcoins - 0.073766 BTC - does not align with the ruble sum at the current exchange rate, considering the ongoing fluctuations in rates.

Capibara Ransom Note Comes in Russian Only

The full text of the Capibara ransom note reads as follows:

Все ваши файлы на компьютере были успешно зашифрованы капибарой.
Ваш компьютер был заражен вирусом шифровальщиком. Все ваши файлы были зашифрованы и не могут быть восстановлены без нашей помощи. Для того, что бы восстановить их, вы можете купить программу для расшифровки файлов. Она позволит вам восстановить ваши данные и удалить вирус с компьютера.
Цена программы - 5000 рублей. Платеж только через битокин.
Как мне платить и где купить биткоин?
Поищите в гугле, спросите у знакомых, нам похер.

Payment informationAmount: 0.073766 BTC
Bitcoin Address: 17CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHV

How Can Ransomware Infect Your Home Computer?

Ransomware can infect your home computer through various means, including:

Phishing Emails: Attackers send deceptive emails containing malicious links or attachments. Clicking on these links or opening infected attachments can download and install ransomware on your computer.

Malicious Websites: Visiting compromised or malicious websites can expose your computer to drive-by downloads, where ransomware is automatically downloaded and installed without your knowledge.

Software Vulnerabilities: Outdated software, especially operating systems and applications, can have security vulnerabilities that ransomware exploits to gain access to your computer.

Unsecure Remote Desktop Protocol (RDP): If you use RDP to connect remotely to your home computer and it's not properly secured (e.g., using weak passwords), attackers can exploit this to gain access and deploy ransomware.

Infected USB Drives: Plugging in infected USB drives or other external storage devices can introduce ransomware onto your computer.

Freeware or Pirated Software: Downloading software from untrusted sources or using pirated software increases the risk of downloading ransomware along with it.

Exploiting Network Vulnerabilities: Ransomware can spread across a home network if one computer becomes infected and the malware gains access to shared drives or other network-connected devices.

May 14, 2024

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.