The Sheeva ransomware is a new strain of file-encrypting malware. The ransomware does not seem to belong to any major ransomware family.
Sheeva would encrypt files on the victim system, affecting most non-essential files, including media, document, archive and database extensions. Once encrypted, the files receive a new extension and their name gets changed quite a bit, with multi-part complex strings. The new file name consists of several strings - the victim's id, the contact email of the ransomware authors, the original name and extension and finally the ".sheeva" string.
This means that a file formerly called "document.docx" will transform into "id[alphanumeric string].[Sheeva@onionmail.org].document.docx.sheeva.
The ransom note is dropped inside a file named "sheeva.txt", which is placed on the desktop.
The full text of the ransom note is as follows:
::: Greetings :::
Your important data, including financial/development, accounting, strategies, and other vital documents and databases, have been downloaded and will be leaked soon if not paid.
Q: What's Happened?
A: Your files have been encrypted and now have the "Sheeva" extension. The file structure has been changed to unreadable format, but you can recover them all with our tool.
Q: How to recover files?
A: If you wish to decrypt your files, you will need to pay in bitcoins.
Q: What about guarantees?
A: It's just a business. We absolutely do not care about you and your deals, except getting benefits. Nobody will cooperate with us if we do not do our work and liabilities. It's not in our interests.
To check the ability to return files, you can send us two files (under 5MB) of any kind that do not contain critical information. We will decrypt them and send them back to you. That is our guarantee.
Q: How to contact us?
A: You can write us to our mailbox: Sheeva at onionmail dot org and Sheeva at cyberfear dot com
write this in the email title: ID:-
Q: How will the decryption process proceed after payment?
A: After payment, we will send you our decoder program and your ID's unique keys + detailed instructions for use. With this program, you will be able to decrypt all your encrypted files.
Q: If I don't want to pay bad people like you?
A: If you will not cooperate with our service, it does not matter to us. But you will lose your time and data cause we are the only ones that have the private key. In practice - time is much more valuable than money.
1.1 DON'T try to change encrypted files by yourself!
If you use any third-party software to restore your data or antivirus solutions, please make a backup of all encrypted files!
Any changes in encrypted files may entail damage to the private key and, as a result, the loss of all data.
.2. Any company/person claiming to decrypt your data without paying us, they're simply lying and will charge you a lot of extra money for that; they all contact us and buy the decryptor from us.
.3. message from Developers: to avoid any possible problems with this email agent, always as for test files, never pay anyone outside of these two emails, only pay to wallet address we send you along with the test file, this will guarantee you recover all your files with no risk
.4.Some files were encrypted but not renamed; these files will be restored after the decryption procedure is completed.
.5.DO NOT delete the C:/Sheeva folder (it's a hidden folder) otherwise decryption will be IMPOSSIBLE