K1ng Ransomware Joins Dharma Clone Family
There is a new ransomware variant in the wild, using code belonging to the Dharma ransomware clone family.
The new version is called the K1ng ransomware. K1ng behaves as expected - it encrypts files on the victim device, leaving the files in an unusable condition. Encryption changes the names and extensions of affected files, adding to them the victim's ID, the contact email of the ransomware operator and the string ".k1ng".
This will transform a file that was originally called "document.txt" into a file named "document.txt.id-[alphanumeric string].[king2022@tutanota.com].k1ng".
The encryption process affects all media, archive, document and database files. Unaffected files are usually system-essential.
The ransomware drops its ransom note inside a file named "info.txt" that is placed on the system desktop. The note reads as follows:
all your data has been locked us
You want to return?
write email king2022@tutanota.com or king2022@onionmail.com
The ransomware also causes a pop-up window to appear with the following text:
YOUR FILES ARE ENCRYPTED
1024
Don't worry, you can return all your files!
If you want to restore them, write to the mail: king2022@tutanota.com YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:king2022@onionmail.com
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.