Wikon Ransomware is an Xorist Clone Targeting Random Files For Encryption

While analyzing malware samples, our researchers came across a new variant of the Xorist ransomware family called WiKoN. This ransomware encrypts files, modifies their extensions by appending ".WiKoN," alters the desktop background, creates a ransom note named "HOW TO DECRYPT FILES.txt," and displays an error message with ransom demands.

For instance, a file named "1.jpg" will be renamed as "1.jpg.WiKoN," while "2.png" will be renamed as "2.png.WiKoN," and so on. The ransom note displayed on the victim's system informs them that their files have been encrypted, and to recover them, they must pay 0.05 Bitcoins to a specified Bitcoin wallet address. The note instructs victims to contact the attackers through the provided email address once the payment is made.

Once the payment is verified, the decryption tool and keys are sent to the victim to initiate the decryption process. The ransom note also warns that if the payment is not made within two days, decryption keys will be deleted permanently, implying that file recovery will no longer be possible.

Wikon Ransom Note Asks for 0.05 BTC

The full text of the Wikon ransom note reads as follows:

ATTENTION!

All your files have been encrypted
And their decryption will cost you 0.05 bitcoin.

To start the decryption process follow the steps below

Step 1) Make sure you send 0.05 bitcoin to this wallet:
bc1q0u997r79ylv9hrc7zcth0mvr3mjua6324hxnkc

Step 2) Contact me at this email address: wikon@tuta.io
With this Subject: -

After the payment has been confirmed,
you will receive the decryptor and the keys for decryption!

Other information:

If you don't own bitcoin, you can buy it here very easily
www.coinmama.com
www.bitpanda.com
www.localbitcoins.com
www.paxful.com

You can find a larger list here:
hxxps://bitcoin.org/en/exchanges

If the payment is not made in 2 days, I will consider that you do not want to decrypt your files,
and therefore the keys generated for your PC will be permanently.deleted.

How Can You Protect Your Data from Ransomware Like Wikon?

Protecting your data from ransomware such as WiKoN involves several preventative measures, including:

• Backup your data regularly: Make sure to back up all your important data regularly to an external hard drive or cloud storage. This ensures that you have a copy of your data that is not affected by ransomware.
• Use anti-virus software: Install reputable anti-virus software on your computer to detect and remove ransomware and other malware.
• Keep software up-to-date: Ensure that all software on your computer is up-to-date, including the operating system and any applications, to avoid vulnerabilities that can be exploited by ransomware.
• Be cautious of email attachments and links: Do not open attachments or click on links in emails from unknown or suspicious sources.
• Use strong passwords: Create strong, unique passwords for all your accounts and avoid reusing passwords across different platforms.
• Educate yourself: Stay informed about the latest ransomware threats and educate yourself on how to avoid falling victim to these attacks.

By taking these measures, you can significantly reduce the risk of ransomware infecting your computer and encrypting your data.