Pres Ransomware: A Dangerous Threat from the Dharma Family
Table of Contents
Understanding Pres Ransomware
Pres ransomware is a threatening addition to the Dharma ransomware family. Like its predecessors, Pres encrypts victims' files and requires a ransom in exchange for their recovery. What makes this variant particularly identifiable is the way it renames encrypted files. It appends the victim's unique ID, a contact email address, and the ".pres" extension to each filename. For example, a file originally named "document.pdf" would appear as "document.pdf.id-9ECFA84E.[helpreserve@onionmail.org].pres" after encryption.
Along with encrypting files, Pres displays a pop-up ransom note and places a text file named "info.txt" in the infected directories. The message tells victims that their files have been encrypted and provides instructions for contacting the attackers via email. Victims are required to send their unique ID to one of two email addresses: helpreserve@onionmail.org or helpreserve@cyberfear.com.
What the Attackers Want
The ransom note attempts to appear helpful and even reassuring. It claims that the victim's files can be recovered and offers to decrypt up to three small, non-sensitive files for free as proof. However, these sample files must not exceed 3MB in total and cannot include backups, databases, or large spreadsheets. The note also warns that renaming files or using third-party recovery tools may cause irreversible damage.
In a classic psychological manipulation tactic, the attackers advise against involving third parties, claiming it could raise the ransom cost. This is meant to isolate the victim and increase their reliance on the attackers' promises—despite the high risk of not receiving any decryption tool after payment.
Here's what the ransom note claims:
All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore them, write to the mail: helpreserve@onionmail.org YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:helpreserve@cyberfear.com
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain BitcoinsAlso you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
How Pres and Other Ransomware Programs Work
Ransomware like Pres is designed to hold users' data hostage by encrypting it with strong algorithms. Once encrypted, files become unusable unless decrypted with a unique key, which only the attackers possess. Victims are typically forced into a difficult choice: pay the ransom and hope the attackers honor their word, or attempt recovery through other means.
Pres ransomware doesn't stop at just encrypting files. It also deletes Volume Shadow Copies (used by Windows for backups), disables the firewall to avoid detection, and tries to maintain persistence by copying itself to a hidden location in the system and altering the Windows registry. These tactics are meant to ensure the ransomware can run even after a system restart and resist removal efforts.
The Risks of Paying the Ransom
While paying the ransom might seem like the quickest path to recovery, it's a gamble with no guaranteed reward. Attackers may take the money and disappear or provide a faulty or partial decryption key. Furthermore, paying only fuels further cybercriminal activity and makes ransomware more profitable and appealing to attackers.
In most cases, recovery without backups or official decryption tools is extremely difficult. Unfortunately, backups stored on connected or infected devices can also be compromised. Therefore, effective backup practices—such as storing copies on unplugged external drives or secured cloud services—are critical.
How Pres Ransomware Spreads
Pres ransomware infections are commonly the result of weak Remote Desktop Protocol (RDP) security. Cybercriminals often exploit poorly protected RDP services by using brute-force or dictionary attacks to gain unauthorized access. Once inside, they deploy the ransomware manually.
Other infection methods include phishing emails containing malicious attachments or links, drive-by downloads from untrustworthy sites, pirated software bundled with malware, and deceptive advertisements. Users may also encounter ransomware through P2P networks or fake software update prompts. The malware is usually disguised as a legitimate program or document, tricking users into activating the infection.
How to Stay Protected
Preventing ransomware like Pres begins with smart online behavior and solid cybersecurity measures. Avoid downloading software from unofficial websites, steer clear of pirated programs or key generators, and never enable macros in unfamiliar Office documents. Be especially cautious with email attachments or links from unknown sources, even if they appear urgent or important.
Update your operating system and software routinely to patch known vulnerabilities. Use reputable antivirus tools that include real-time protection features. Back up important data frequently and store those backups in safe, disconnected locations.
Final Thoughts
Pres ransomware is another example of how sophisticated and destructive modern ransomware threats have become. It combines technical stealth with social manipulation to pressure victims into paying ransoms that may not even lead to file recovery. By staying alert, following best cybersecurity practices, and maintaining secure backups, users, and organizations can greatly reduce their risks dealing with these digital extortion schemes.
