Titancrypt Ransomware

Titancrypt is a new variety of file-encrypting ransomware that has been recently spotted in the wild. The ransomware has not been classified as belonging to any specific larger family of ransomware types.

The ransomware encrypts commonly used document and media file types. It appears to be run by a Polish threat actor, as the ransom demand is 20 Polish zloty, to be sent to the hackers using a PaySafeCard.

Once Titancrypt encrypts a file, it appends the .titancrypt extension at the end, past the original extension. This means that a file originally called "audio.mp3" will transform into "audio.mp3.titancrypt" once it has been encrypted by the ransomware.

Once encryption is done, the ransomware drops its ransom demand note in a plain text file named "___RECOVER__FILES__.titancrypt.txt". Additionally, it also displays a pop-up window with the same ransom demand contained in the note.

Here is the full text of the ransom note:

All of your files have been encrypted.

To unlock them, please send 20PLN PaySafeCard on discord: titanware#1405

Thank you and have a nice day!

The ransom demand is surprisingly low, with 20 Polish zloty amounting to around 5 US dollars. Of course, the fact that the sum being asked is so low does not guarantee that victims will ever receive a working decryption tool against their money. The ransomware has no known decryptor at this point in time.

May 10, 2022