TUGA Ransomware Uses Concise Ransom Note

Our research team has come across a new form of ransomware called TUGA. This malicious software encrypts files, adding its distinct extension (".TUGA") to the original filenames. Additionally, it leaves a ransom note named "README.txt" to inform the victims about the compromise. The discovery of TUGA occurred during the analysis of various new malware samples. A notable characteristic of TUGA is its file renaming process, where it modifies filenames by appending ".TUGA" to them. For instance, a file named "1.jpg" would be changed to "2.jpg.TUGA," and "2.png" would become "2.png.TUGA," and so on.

The ransom note left by TUGA serves as a notification for the affected individuals, alerting them to the security breach. Within the note, the hackers provide a link to the Telegram channel "t.me/hell2cat" as a means of communication. They demand a payment of $1000 in exchange for the decryption key necessary to regain access to the encrypted files.

TUGA Ransom Note Asks for $1000 in Payment

The very brief text of the TUGA ransomware note reads as follows:

You've been hacked
t.me/hell2cat
Pay me 1000$ and I'll give you the decryption key!
Or you will join a terrorist network list :C

The ridiculous tone suggests that the ransomware operator might be more of a script kiddie and less of a real threat actor.

How Can Ransomware Infect Your System?

Ransomware can infiltrate your system through various methods, often exploiting vulnerabilities or utilizing deceptive tactics. Here are some common ways in which ransomware can infect your system:

• Phishing Emails: One prevalent method is through phishing emails. Attackers send malicious emails that appear legitimate, tricking recipients into clicking on infected attachments or malicious links. Once clicked, the ransomware is downloaded and executed on the system.
• Malicious Websites and Downloads: Visiting compromised websites or downloading files from untrusted sources can lead to ransomware infection. Attackers may embed malicious code or infected files on these websites or disguise malware as legitimate software.
• Exploiting Software Vulnerabilities: Ransomware can exploit security vulnerabilities in software applications or operating systems. If you haven't applied necessary security patches or updates, attackers can exploit these weaknesses to gain unauthorized access and install ransomware.
• Malvertising: Attackers may use malicious advertisements (malvertising) on legitimate websites to distribute ransomware. These ads can contain code that automatically downloads and executes the ransomware when clicked or even without any user interaction.
• Remote Desktop Protocol (RDP) Attacks: If Remote Desktop Protocol is enabled on your system with weak or default credentials, cybercriminals can use brute-force attacks to gain unauthorized access. Once inside, they can deploy ransomware and encrypt files.
• Drive-by Downloads: Ransomware can be delivered through drive-by downloads, where malware is automatically downloaded and executed when you visit compromised websites or click on infected advertisements.
• Malicious File Sharing Networks: Downloading files from peer-to-peer (P2P) or file-sharing networks can expose you to ransomware. Cybercriminals often disguise ransomware within seemingly harmless files shared on these platforms.
• USB Devices and External Storage: Connecting infected USB devices or external storage media, such as external hard drives or thumb drives, to your system can introduce ransomware. It can spread through autorun features or by tricking users into running malicious files.

To protect your system from ransomware, it is essential to follow best security practices such as keeping your software and operating system up to date, exercising caution while clicking on links or opening attachments in emails, using reliable security software, regularly backing up your important files, and being vigilant about suspicious online activities.