Whole Ransomware Threatens Data Leaks

During our investigation of newly submitted malware samples, our researchers came across a ransomware program named "Whole." We have determined that it is derived from the Keylock ransomware. This malicious software encrypts data and demands ransoms in exchange for decrypting it.

In our testing, the "Whole" ransomware encrypted files and added a ".whole" extension to their filenames. For example, a file originally named "1.jpg" would be displayed as "1.jpg.whole," and "2.png" as "2.png.whole."

Once the encryption process was finished, the desktop wallpaper was changed, and a ransom note titled "README-ID-[victim's_ID].txt" was generated. From the content of this note, it is evident that this ransomware primarily targets businesses rather than individual users.

The message displayed on the "Whole" desktop wallpaper instructs the victim to read the associated text file ("README-ID-[victim's_ID].txt"). This ransom note explains that the victim's files have been encrypted and assures them that their unique decryption key is securely stored on the attackers' servers.

Recovery can be tested at no cost by sending a few encrypted files to the cybercriminals (within certain guidelines). If the victim does not attempt to contact the attackers within 3 days, their sensitive business-related data may be exposed or sold.

The message also includes warnings, informing the victim that renaming or altering the affected files, as well as using third-party recovery tools or antivirus software, may render the data irretrievable.

Whole Ransomware Drops Lengthy Note

The full text of the Whole ransom note reads as follows:

YOUR FILES ARE ENCRYPTED

Your files have been encrypted with strong encryption algorithms and modified!
Don't worry your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.

We can prove that we can decrypt all of your data. Please just send us 3 not important, small(~2mb) encrypted files, which are randomly stored on your server. Also attach your this file README-ID-.txt left by us in every folder.
We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.

If you will not start a dialogue with us in 72 hours we will be forced to publish your files in the public domain. Your customers and partners will be informed about the data leak.
This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases and personal data to interested parties to generate some profit.

If you want to resolve this situation, attach in letter this file README-ID-.txt and write to ALL of these 2 email addresses:

pmmx@techmail.info
wholekey@mailfence.com

IMPORTANT!
We recommend you contact us directly to avoid overpaying agents.
We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.
Our message may be recognized as spam, so be sure to check the spam folder.
If we do not respond to you within 24 hours, write to us from another email address.
Please don't waste the time, it will result only additinal damage to your company.
Please do not rename and try to decrypt the files yourself. We will not be able to help you if files will be modified.
If you will try to use any third party software for restoring your data or antivirus solutions, please make a backup for all encrypted files.
If you delete any encrypted files from the current computer, you may not be able to decrypt them.

How Can Ransomware Get Inside Your System?

Ransomware can infiltrate your system through various means, and understanding these entry points is crucial for protecting your system against such attacks. Here are common ways ransomware can get inside your system:

• Email Attachments: Phishing emails are a prevalent method for ransomware distribution. Cybercriminals send seemingly legitimate emails with infected attachments (e.g., PDFs, Word documents, or ZIP files) or links to malicious websites. When users open these attachments or click on the links, the ransomware is downloaded and executed on their systems.
• Malicious Links: Ransomware can also be delivered through deceptive or malicious links in emails, instant messages, or on websites. Clicking on these links can lead to the download and execution of ransomware.
• Malvertising: Cybercriminals may use malicious advertisements (malvertisements) on legitimate websites to deliver ransomware. Simply visiting a compromised website with these ads can trigger an automatic download of the malware.
• Exploiting Vulnerabilities: Ransomware authors can exploit software vulnerabilities in your operating system or applications. If your system is not up to date with security patches, it may be vulnerable to exploit-based attacks.
• Drive-By Downloads: Ransomware can be delivered through "drive-by downloads," where users unknowingly download malicious code while visiting compromised or malicious websites. These downloads can occur without any user interaction or consent.
• Remote Desktop Protocol (RDP) Attacks: Attackers may exploit weak or default RDP credentials to gain access to remote systems. Once inside, they can install ransomware and encrypt files.
• Software Downloads: Downloading software or files from untrusted or pirated sources can expose your system to ransomware. Illegitimate software or cracked versions often come with hidden malware payloads.