Flame Ransomware Expands Chaos Clone Family To Encrypt Files & Extort Money

Flame ransomware is a newly discovered strain of file-encrypting malware that belongs to the Chaos ransomware family.

Flame encrypts almost every file found on a system's connected local drives, then drops its ransom demands. The encryption process affects most file types, including executables, media files, documents, archives and databases.

Encrypted files receive a new extension that the ransomware generates using four random alphanumeric characters. This means that a file formerly named "music.ogg" will turn into something similar to "music.ogg.ewd8".

The ransomware creates a plain text file called "read_it.txt" containing the ransom note. The system wallpaper is replaced too, with large text containing an English variation of the text file.

The plain text file is in Russian and goes as follows:

Flame, это не вирус, это просто программа, которую вы запустили на свой же страхи риск. Давайте как договаривались, ну без фокусов и претензий. Я тебя предупреждал в дисклеймере, по поводу всех этих последствий и т.д. Не хотел бы - не запустил бы, а если не знаешь английский, мамкин ты задрот, иди учись, и не ленись читать по переводчику!

The wallpaper text reads:

YOUR FILES HAVE BEEN ENCRYPTED*

YOUR FILES WERE ENCRYPTED BY THE FLAME UTILITY. TO DECRYPT YOUR FILES AND REMOVE THIS NOTIFICATION, CLICK ON THE "DECRYPT MY FILES" BUTTON. TECHNICAL SUPPORT - b5cce0d45fd0 at list dot ru

*Please read the disclaimer!

This program is not a virus, but just a utility that allows you to encrypt user data at will in one click.