What is Pomochit Ransomware?

Pomochit is a ransomware-type program, identified as part of the MedusaLocker ransomware family. This malware encrypts files on the infected system, aiming to extort payment from victims in exchange for decryption.

File Encryption and Ransom Note

On our test machine, Pomochit appended a ".pomochit01" extension to the titles of encrypted files. For example, "1.jpg" became "1.jpg.pomochit01," and "2.png" turned into "2.png.pomochit01." The number in the extension may vary depending on the ransomware variant.

After completing the encryption process, Pomochit dropped a ransom note named "How_to_back_files.html." This note indicates that the ransomware primarily targets large entities rather than individual home users.

The Pomochit ransom note reads like the following:

YOUR PERSONAL ID:
-

/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.

email:
pomocit01@kanzensei.top
pomocit01@surakshaguardian.com

* To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

* Tor-chat to always be in touch:

qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Ransom Note Overview

The Pomochit ransom note reveals that the victim's company network has been compromised. It states that the encrypted files were secured using RSA and AES cryptographic algorithms. Additionally, confidential and personal data was extracted during the attack.

The note warns victims against renaming, modifying, or using third-party recovery tools on the encrypted files, as these actions could render the data undecryptable. The attackers demand payment for decryption and threaten to leak the stolen content if their demands are not met. If contact is not established within 72 hours, the ransom amount will increase. Victims are allowed to test decryption on a couple of files for free before making the payment.

The Nature of Pomochit Ransomware

Based on extensive research on ransomware infections, it is usually impossible to decrypt files without the attackers' involvement. However, paying the ransom does not guarantee data recovery, as cybercriminals often fail to deliver the promised decryption keys or software despite receiving payment. Therefore, it is strongly advised against meeting the criminals' demands to avoid supporting their illegal activities.

Removing Pomochit ransomware from the operating system will prevent further data encryption. Unfortunately, removal will not restore already compromised files. The only solution is to recover them from a backup, if one was created beforehand and is stored elsewhere.

Prevention and Backup Strategies

The best way to ensure data safety is to maintain backups in multiple separate locations, such as remote servers, unplugged storage devices, and other secure means.

OceanSpy, ZILLA, LostInfo, and GameCrypt are some of the newest ransomware variants. These programs operate similarly by encrypting files and demanding payment for decryption.

Ransomware Distribution Methods

Cybercriminals primarily use phishing and social engineering tactics to spread ransomware and other malware. Malicious software is often disguised as ordinary programs or media. Alternatively, malware can be bundled with regular content.

Infectious files come in various formats, such as archives (ZIP, RAR), executables (.exe, .run), and documents (Microsoft Office, PDF). When a malicious file is executed, the infection chain begins.

Common Distribution Methods

• Backdoor/Loader-Type Trojans: Malicious programs that provide unauthorized access to the victim's system.
• Drive-By Downloads: Stealthy or deceptive downloads initiated without the user's knowledge.
• Malicious Attachments or Links in Spam Emails: Phishing emails containing harmful links or attachments.
• Online Scams and Malvertising: Deceptive online ads or scam websites leading to malware downloads.
• Untrustworthy Download Channels: Freeware and third-party sites, P2P sharing networks, etc.
• Illegal Software Activation Tools ("Cracks"): Unauthorized tools used to bypass software activation.
• Fake Updates: Bogus updates for legitimate software that deliver malware.

Staying vigilant and maintaining robust security practices are essential in combating ransomware threats like Pomochit. Regular backups, cautious email handling, and avoiding suspicious downloads can significantly reduce the risk of infection. Remember, prevention is always better than cure when it comes to cybersecurity.