GrafGrafel Ransomware Threatens Double Extortion

While examining new file samples, our research team uncovered the GrafGrafel malicious program, belonging to the Phobos ransomware family. This type of malware encrypts data and demands ransoms for decryption.

Upon running a sample of GrafGrafel on our test machine, it encrypted files and modified their filenames. The original titles now included a unique ID assigned to the victim, the cyber criminals' email address, and a ".GrafGrafel" extension. For instance, a file initially named "1.jpg" transformed into "1.jpg.id[9ECFA84E-3511].[GrafGrafel@tutanota.com].GrafGrafel" after encryption.

Following this encryption process, ransom notes appeared in a pop-up ("info.hta") and text files ("info.txt"). The text files were deposited in encrypted directories and on the desktop. The content of these notes indicates that GrafGrafel specifically targets companies rather than individual users, employing double extortion tactics.

Both the pop-up and text files contain identical messages, stating that the victim's files are encrypted, and sensitive company data has been exfiltrated. The attackers demand a ransom, threatening to leak the stolen information and keep the locked data inaccessible if their demands are not met. The notes emphasize the risk of company data leaks and mention a 30% reduction in the ransom if the victim contacts the cyber criminals within 6 hours.

Before making the payment, the victim has the option to test decryption on a few small files. The messages caution against actions that could result in permanent data loss, such as restarting or shutting down the system, renaming/copying/moving or modifying the affected files, using third-party decryption tools, and reaching out to recovery companies or authorities.

GrafGrafel Ransom Note Spans Multiple Pages of Text

The complete text of the GrafGrafel ransom note reads as follows:

ATTENTION

Your network is hacked and files are encrypted.
Including the encrypted data we also downloaded other confidential information: data of your employees, customers, partners, as well as accounting and other internal documentation of your company.

About Data
All data is stored until you will pay.
After payment we will provide you the programs for decryption and we will delete your data
We dont want did something bad to your company, it is just bussines (Our reputation is our money!)
If you refuse to negotiate with us (for any reason) all your data will be put up for sale.

What you will face if your data gets on the black market:
The personal information of your employees and customers may be used to obtain a loan or purchases in online stores.
You may be sued by clients of your company for leaking information that was confidential.
After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify.
Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered.
You will forever lose the reputation.
You will be subject to huge fines from the government.
You can learn more about liability for data loss here: hxxps://en.wikipedia.org/wiki/General_Data_Protection_Regulationor here hxxps://gdpr-info.eu
Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you.
Contacting the police will not save you from these consequences, and lost data, will only make your situation worse.

How to contact us
Write us to the mails: GrafGrafel@tutanota.com
You can contact our online operator in telegram: @GROUNDINGCONDUCTOR (BE CAREFUL ABOUT FAKE)
Download the (Session) messenger hxxps://getsession.org in messenger :ID"05bc5e20c9c6fbfd9a58bfa222cecd4bbf9b5cf4e1ecde84a0b8b3de23ce8e144e"
Write this ID in the title of your message -
IF YOU WILL CONTACT US IN FIRST 6 hours , and we close our deal in 24 hours , PRICE WILL BE ONLY 30%.
(time is money for both of us , if you will take care about our time , we will do same , we will care of price and decryption process will be done VERY FAST)
ALL DOWNLOADED DATA WILL BE DELETED after payment.

What no to do and recomendation
You can get out of this situation with minimal losses (Our reputation is our money!) !!! To do this you must strictly observe the following rules:
DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible.
DO NOT use any third party or public decryption software, it may also DAMAGE files.
DO NOT Shutdown or Reboot the system this may DAMAGE files.
DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations.
You can send us 1-2 small data not value files for test , we will decrypt it and send it to you back.
After payment we need no more that 2 hours to decrypt all of your data. We will be support you untill fully decryption going to be done! ! ! (Our reputation is our money!)

Instructions for contacting our team:
Download the (Session) messenger (hxxps://getsession.org) in messenger :ID"05bc5e20c9c6fbfd9a58bfa222cecd4bbf9b5cf4e1ecde84a0b8b3de23ce8e144e"
Telrgram : @GROUNDINGCONDUCTOR (BE CAREFUL ABOUT FAKE)
MAIL:GrafGrafel@tutanota.com

What is the Phobos Family of Ransomware Clones?

Phobos is a family of ransomware that has been known to target Windows systems. It is designed to encrypt files on the infected system, making them inaccessible to the user, and then demands a ransom in exchange for the decryption key. The Phobos ransomware family is characterized by its use of a specific file extension added to the encrypted files, often reflecting the name of the ransomware variant.

The ransom notes delivered by Phobos typically contain instructions on how the victim can pay the ransom to obtain the decryption key. Phobos is known for employing double extortion tactics, where, in addition to encrypting files, it may exfiltrate sensitive data from the compromised system. The threat actors behind Phobos then use the stolen data as leverage, threatening to publish it unless the ransom is paid.

It's important to note that there are many variants and clones within the Phobos ransomware family, each with its own specific characteristics and methods of operation. These variants may be introduced or modified over time by different cybercriminal groups. Due to the evolving nature of ransomware, cybersecurity experts and antivirus companies continually work to detect and mitigate threats associated with the Phobos family and other ransomware strains. Regularly updating security software, practicing good cybersecurity hygiene, and maintaining secure backup practices are essential to minimize the risk and impact of ransomware attacks.

By Zaib
December 7, 2023
Ransomware
English
December 7, 2023
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Ransomware

Intel Ransomware Threatens Double Extortion

During the examination of newly submitted file samples, our team came across the Intel ransomware, a malicious program affiliated with the Dharma ransomware family. This harmful software encrypts data and demands... Read more

December 4, 2023
Ransomware

LOCKEDFILECR Ransomware Attempts Double Extortion

LOCKEDFILECR is the name of a newly discovered ransomware strain. The new variant does not seem to belong to any particular big family of ransomware clones. LOCKEDFILECR will encrypt the targeted system, scrambling... Read more

September 20, 2022
Ransomware

HelloXD Ransomware Goes for Double Extortion

A research team with Palo Alto Networks has picked apart a relatively recent ransomware strain. The ransomware is called HelloXD and was first spotted in the last months of 2021. HelloXD is the type of ransomware gang... Read more

June 21, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.