Killer Ransomware

There is a newly discovered strain of file-encrypting malware in the wild. The new variant is called Killer ransomware.

The ransomware behaves as expected. It will comb over connected system drives and encrypt almost all files in them, leaving files essential to the functioning of the operating system intact. Once encrypted, files receive a multi-part name change.

The Killer ransomware adds the victim's ID string, the contact email of the malware's author and the ".kill" extension to the original name of encrypted files. This means that a file formerly named "document.pdf" will turn into "document.pdf.[victim ID string].[contact email used by malware author].kill.

The ransom demands are contained inside a plain text file named "#FILES-ENCRYPTED.txt". Ransom notes are used to extort payment from victims, usually in the form of crypto transactions as those are much harder to trace.

It is never advisable to negotiate with cybercriminals. There is no way to know if you will receive a working decryption tool and if one exists in the first place, and the ransomware is not really a wiper masquerading as ransomware.

Using backups stored on offline devices is the best way to restore files when affected by the Killer ransomware.

June 30, 2022