Earth Grass Ransomware Asks for $200 in Ransom
While analyzing file samples, we stumbled upon a new variant of the WORLD GRASS ransomware, which was named EARTH GRASS. This particular ransomware operates by encrypting files and adding the ".34r7hGr455" extension to the filenames of the locked files. Additionally, it alters the desktop background and deposits a "Read ME (Decryptor).txt" file, which serves as a ransom note.
To illustrate how EARTH GRASS changes filenames, consider the following: it transforms "1.jpg" into "1.jpg.34r7hGr455," and "2.png" becomes "2.png.34r7hGr455," and so on.
The ransom note conveys to victims that their files have been encrypted due to a security issue on their computers. It supplies guidance on making a $200 payment in XMR (Monero) cryptocurrency to a specified address and directs victims to reach out to the attackers via the provided email address (earthgrass1@protonmail.com) with evidence of payment and details about their computer.
The note cautions against renaming encrypted files or attempting to decrypt them using third-party software, as this could result in permanent data loss. Furthermore, it mentions the potential for increased fees when seeking third-party assistance and advises caution regarding the possibility of scams in such scenarios.
Earth Grass Ransom Note in Full
The complete text of the Earth Grass ransom note reads as follows:
EARTH GRASS
YOUR FILES ARE ENCRYPTED#EarthGress
All your files have been encrypted due to a security problem with your PC.
If you want to restore them do this work,
- Send 200$ XMR On this Address :-
XMR Address = (alphanumeric string)- After Sending The Funds Write us to the e-mail :-
Email Address = earthgrass1@protonmail.com
(With The Transection Screenshot And Transection Details And Your Computer Details.)Attention
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files of the help of third parties may cause increased price(they add their fee to our) or you can become a victim of a scam.
How Can Ransomware Like Earth Grass Infect Your Computer?
Ransomware like Earth Grass can infect your computer through various means, and it typically relies on deceptive or malicious tactics to gain access. Here are some common ways ransomware can infect your computer:
- Phishing Emails: One of the most common methods is through phishing emails. You may receive an email that appears to be from a legitimate source, such as a trusted company or a colleague. These emails often contain malicious attachments or links. When you open the attachment or click the link, it may download and execute the ransomware on your system.
- Malicious Websites: Visiting compromised or malicious websites can expose your computer to ransomware. These websites may exploit vulnerabilities in your web browser or use social engineering techniques to trick you into downloading and executing malicious files.
- Malvertising: Malicious advertising, or malvertising, occurs when cybercriminals inject malicious code into online ads. Clicking on these ads can redirect you to websites that deliver ransomware to your computer.
- Exploiting Software Vulnerabilities: Ransomware can exploit vulnerabilities in your operating system, software, or applications. If your system is not up to date with security patches, it can be more susceptible to such attacks.
- Drive-By Downloads: Some websites may automatically download and execute malware onto your computer without your consent. This drive-by download can happen if you visit compromised websites or interact with malicious content.
