What is ChocVM Ransomware?
A new ransomware variant named ChocVM, associated with the Makop family, has recently emerged. This malicious software encrypts files, alters desktop wallpapers, modifies filenames, and leaves behind a distinctive ransom note in a file named "+README-WARNING+.txt."
Table of Contents
File Encryption and Renaming
ChocVM employs a unique approach to file renaming by appending a string of random characters, the email address "xakep@dark-forum.ru," and the file extension ".chocolate." For instance, a file like "1.jpg" transforms into "1.jpg.[2AF20FA3].[xakep@dark-forum.ru].chocolate."
ChocVM Ransom Note Overview
The ransom note left by ChocVM clarifies that the victim's files have been encrypted without altering the file structure. To regain access to their files, victims are required to pay a ransom. The attacker emphasizes that this is a business transaction, showing no concern for the victim's interests. A peculiar offer is made to decrypt two small files with simple extensions for free, providing contact information through email addresses: xakep@dark-forum.ru or hackr@dark-forum.ru.
The ransom note reads like the following:
::: Greetings ChocVM :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen..2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us..3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee..4.
Q: How to contact with you?
A: You can write us to our mailboxes: xakep@dark-forum.ru or hackr@dark-forum.ru.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files..6.
Q: If I don t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Details on Ransom Payment
Upon payment, the attacker pledges to deliver a decryption program along with detailed instructions for file decryption. The note explicitly warns against attempting independent file restoration, claiming that any such actions may damage the private key and result in irreversible data loss.
Insights into Ransomware Threats: An Overview
When individuals fall victim to ransomware attacks, they are coerced into paying cybercriminals for decryption tools. Typically, the alternatives include searching for free decryption tools online or using data backups. However, paying ransoms is strongly discouraged due to uncertainties regarding the reliability of cybercriminals in delivering promised decryption tools.
Immediate Action against Ransomware
Swiftly eliminating ransomware from compromised devices is crucial, as the malware can initiate further encryptions and spread through local networks, leading to the encryption of files on interconnected computers.
Ransomware Landscape
Ransomware attacks may vary in delivery methods and targets, but the consistent demand for payment in exchange for decrypting data, renaming files, and presenting a ransom note remains. Examples of other ransomware variants include BO Team, Cdmx, and Tprc.
Understanding Ransomware Infections: Causes and Prevention
Infection Methods
Ransomware often infiltrates systems through deceptive emails containing malicious attachments or links. Unwary users may inadvertently initiate downloads and executions by clicking on these links or opening attachments. Trojans are another tool used to deliver malicious payloads, including ransomware. Threat actors also exploit channels such as P2P networks, malicious ads, software vulnerabilities, pirated software, and more.
Protective Measures
To safeguard against ransomware infections, users are advised to install regular updates for the operating system and installed apps. Employing reputable antivirus or anti-malware software, exercising caution with emails from unknown sources, avoiding risky websites, and refraining from downloading files from untrusted sources are essential preventive measures.
Dealing with ChocVM Infection
If a computer is already infected with ChocVM, it is recommended to use an anti-malware program for automatic removal of this ransomware threat.
