Reload Ransomware is Based on Makop

In our analysis of the Reload malware, we determined that it belongs to the Makop family and functions as ransomware, primarily designed for file encryption. Apart from encrypting data, Reload also drops a ransom note, named "+README-WARNING+.txt," and modifies file names.

Reload adds a sequence of random characters, presumably the victim's ID, an email address, and the ".reload" extension to the original file names. For example, it transforms "1.jpg" into "1.jpg.[2AF20FA3].[reload2024@outlook.com].reload," and "2.png" into "2.png.[2AF20FA3].[reload2024@outlook.com].reload," and so forth.

The ransom note starts with a clear statement indicating that all files have been encrypted and now carry the ".reload" extension. It underscores the urgency of contacting the attackers promptly to prevent the encrypted files from being published on the internet. The note provides the email address reload2024@outlook.com for communication purposes.

Furthermore, the note issues a threat of permanent file loss if victims fail to engage directly with the attackers for file recovery, explicitly discouraging the use of intermediary companies or internet-based programs for recovery efforts.

Reload Ransom Note in Full

The complete text of the ransom note generated by Reload reads as follows:

Your files are encrypted and stolen, all encrypted files have the extension .reload

To restore your files so that they are not published on the Internet, you need to contact us as soon as possible!

Our contact email address: reload2024@outlook.com

Your files may be published on the Internet if you ignore this message.

You will lose your files if you do not write to us to recover your files!

You will lose your files forever if you use intermediary companies and programs from the Internet to recover your files!

How is Ransomware Like Reload Distributed Online?

Reload, like many ransomware variants, is typically distributed online through various methods aimed at exploiting vulnerabilities or tricking users into downloading and executing malicious content. Here are common distribution methods for ransomware like Reload:

Phishing Emails: Cybercriminals often use phishing emails to deliver ransomware. These emails may appear legitimate and contain malicious attachments or links. In the case of Reload, users might be lured into opening an attachment, such as a seemingly innocuous document or file, which then triggers the malware installation process.

Malicious Websites: Visiting compromised or malicious websites can lead to the unintentional download and installation of ransomware. Cybercriminals may exploit vulnerabilities in browsers or plugins to deliver the malicious payload.

Exploit Kits: Cyber attackers may use exploit kits to target known vulnerabilities in software, operating systems, or browsers. When a user visits a compromised website, the exploit kit scans for vulnerabilities and delivers the ransomware payload if a suitable vulnerability is found.

Drive-By Downloads: Unwittingly downloading malicious content while visiting websites, often through pop-ups or automatic downloads, can result in the installation of ransomware. Users may not be aware of these downloads, making it easier for the malware to infiltrate the system.

Malicious Advertisements (Malvertising): Cybercriminals may use online advertisements to distribute ransomware. Clicking on an infected ad can redirect users to a site hosting the malware or trigger an automatic download.

Compromised Software: Attackers may compromise legitimate software installers or updates, injecting ransomware into them before users download and install the seemingly authentic software.