Pegasus Ransomware Encrypts Victim System Drives

Our team came across Pegasus, a ransomware program, while going over new file sample submissions. When we ran a sample of Pegasus on our test machine, it encrypted files and modified their names.

The original filenames were extended with a random character string, for instance, "1.jpg" became "1.jpg.tBC8M", and "2.png" became "2.png.qGuj7". After completing the encryption process, a ransom note named "Ghost_ReadMe.txt" was deposited.

The ransom note notifies the victim that their files are inaccessible due to encryption. It assures them that they can retrieve their data by purchasing the decryption tool from the attackers. The ransom amount is specified as $350 in Bitcoin cryptocurrency. Upon payment, the victim is instructed to provide evidence of the transaction, after which they are promised to receive the decryption key.

Pegasus Ransom Note Demands $350 in Payment

The complete text of the "Ghost_ReadMe.txt" file generated by the Pegasus ransomware reads as follows:

Oops, Your Files Have Been Encrypted!
We Have Encrypted Your Data With The Strongest.
You Don't Need to worry.

All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.

What can I do to get my files back? You can buy the decrypter.
it will leave your pc as it was before the encryption.

How Can I Decrypt Files?

1. You Can Buy Crypto Here: hxxps://www.coinmama.com/
2. Send $350 To Bitcoin Wallet address: 16JpyqQJ6z1GbxJNztjUnepXsqee3SBz75
3. Send Proof of Transaction to Our Email Address to Get a Decryption Tool and Private Key
4. Contact Our email address: ransom.data@gmail.com

Note: Do Not Use Third Party Decryption Tools

What Are the Most Common Attack Vectors Used by Ransomware?

Ransomware can infiltrate systems through various attack vectors, but some of the most common ones include:

Phishing Emails: Attackers often distribute ransomware via phishing emails containing malicious attachments or links. These emails may impersonate legitimate entities or organizations, enticing recipients to click on links or download attachments that contain ransomware payloads.

Malicious Websites: Ransomware can be distributed through malicious websites or compromised legitimate websites. Visiting such sites or clicking on malicious ads can lead to the automatic download and execution of ransomware on the victim's system.

Exploit Kits: Cybercriminals exploit vulnerabilities in software or operating systems using exploit kits to deliver ransomware. These kits target known vulnerabilities that have not been patched, allowing attackers to gain unauthorized access to systems and deploy ransomware.

Remote Desktop Protocol (RDP): Attackers may brute-force RDP credentials or exploit weak passwords to gain unauthorized access to systems remotely. Once inside, they can deploy ransomware directly onto the compromised systems.

Drive-By Downloads: Ransomware can be delivered through drive-by downloads, where malware is automatically downloaded and installed onto a victim's system without their consent or knowledge when visiting compromised or malicious websites.

Malvertising: Cybercriminals may distribute ransomware through malicious advertisements (malvertising) displayed on legitimate websites. Clicking on these ads can redirect users to websites hosting ransomware or initiate automatic downloads of ransomware payloads.

Remote Code Execution (RCE): Vulnerabilities in web applications or server software can be exploited to execute arbitrary code remotely. Attackers can leverage RCE vulnerabilities to deploy ransomware onto servers or networked devices.

File-Sharing Networks: Ransomware can spread through peer-to-peer (P2P) file-sharing networks or compromised network shares. Infected files shared through these networks can lead to the spread of ransomware to other users or devices connected to the network.