A new variant of file-encrypting malware has been spotted in the wild. The new ransomware is named Triclyde and belongs to the family of Nominatus ransomware clones.
Triclyde does what every other strain of ransomware does - it encrypts the majority of files on the target system, leaving system-essential files intact so the system can keep running. What the Triclyde ransomware does a little differently is how it handles files that are already encrypted.
While almost every other strain of ransomware makes some sort of alteration to the extensions of encrypted files, appending new strings after the original extension to denote an encrypted file, Triclyde does nothing - files are left untouched when it comes to their names and extensions in Windows Explorer. You cannot tell whether a file is encrypted or not if you simply look at a folder.
The ransomware drops its ransom demands inside a pop-up window that is displayed once encryption finishes. The brief and overly dramatic ransom note goes as follows:
Nominatus Ransomware Family
All files has been Encrypted by Triclyde!
Contact the Creator of this virus Nominatus#9251 for more information
his old account (Nominatus#1297) has been disabled..
don't restart because we changed your account's password!
live or die? make your choice now!'
The fact that the ransomware operator chose Discord as their contact platform of choice should be indicative of their expertise. Of course, contacting criminals and negotiating with them is never advisable.