Proton (Xorist) Ransomware Will Encrypt Victim Systems
During our routine assessment of new file samples, our research team came across the Proton ransomware variant. This malicious software is associated with the Xorist ransomware family. Malicious programs falling under this category encode data and request payment for the decryption process.
Upon testing the Proton (Xorist) ransomware on our experimental system, it carried out the encryption of files and added a ".PrOToN" extension to their original names. To illustrate, a file named "1.jpg" underwent a transformation to "1.jpg.PrOToN," while "2.png" changed to "2.png.PrOToN," and so forth for all locked files.
Subsequently, the program altered the desktop background and generated ransom notes in the form of a pop-up window, desktop wallpaper, and a text document labeled "HOW TO DECRYPT FILES.txt." These ransom notes communicate to the victim that their files have been encrypted and that the sole avenue for restoring them is by making a payment to the attackers. The ransom amount is specified as 0.045 BTC (Bitcoin cryptocurrency), which, based on prevailing exchange rates, is approximately equivalent to 1300 USD (bear in mind that exchange rates are subject to constant fluctuations). Once the ransom is paid, the notes assure the victim that the necessary decryption keys and software will be provided.
Proton Ransom Note Asks for $1300 in Bitcoin
The full text of the Proton ransom note reads as follows:
Hello
All your files have been encrypted
if you want to decrypt them you have to pay me 0.045 bitcoin.Make sure you send the 0.045 bitcoins to this address:
(alphanumeric string)If you don't own bitcoin, you can easily buy it from these sites:
www.coinmama.com
www.bitpanda.com
www.localbitcoins.com
www.paxful.comYou can find a larger list here:
hxxps://bitcoin.org/en/exchangesAfter sending the bitcoin, contact me at this email address:
protonis2023@tuta.io with this subject: -
After the payment has been confirmed,
you will get decryptor and decryption keys!You will also receive information on how to defend against another ransomware attack
and the most important thing is your security hole through which we entered.Attention!
Do not try other cheaper decryption options because nobody and nothing can
decrypt your files without the keys generated for your server,
you will lose time, money and your files forever!
How Can Ransomware Like Proton Enter Your System?
Ransomware like Proton can infiltrate your system through various means, often exploiting vulnerabilities or human actions. Here are some common ways ransomware can enter your system:
- Phishing Emails: Cybercriminals often send convincing emails with malicious attachments or links. Clicking on these links or opening infected attachments can trigger the ransomware installation.
- Malicious Links: Clicking on infected links from websites, social media, or instant messaging platforms can lead to ransomware downloads or drive-by attacks.
- Malvertising: Malicious advertisements on legitimate websites can lead to drive-by downloads of ransomware when clicked.
- Exploit Kits: These are toolkits that target vulnerabilities in software like your operating system, browser, or plugins. Visiting a compromised website can result in an exploit kit delivering ransomware.
- Infected Software: Downloading and installing software from untrusted sources can result in unintentionally installing ransomware.
- Remote Desktop Protocol (RDP) Vulnerabilities: If RDP is not properly secured, attackers can exploit vulnerabilities to gain remote access to your system and install ransomware.
- Software Vulnerabilities: Outdated software can have security vulnerabilities that attackers can exploit to install ransomware.
- Malicious Macros: Opening infected Microsoft Office documents with macros enabled can lead to ransomware execution.
