A file-encrypting s by the name of CoderWare has been spotted extorting payments from innocent victims. CoderWare ransomware follows the classic patterns of encrypting data, blackmailing victims, and collecting Bitcoin payments.
Researchers warn that CoderWare is developed solely for ransom extortion purposes. The creators of this menace are ruthless criminals who will not hesitate to double-cross their victims.
Table of Contents
CoderWare’s Distribution Vector
Like many other ransomware threats, CoderWare relies on mass-distribution techniques, such as phishing messages, torrent platforms, unofficial software activation tools, and malicious advertisements. Trojan horse viruses could also drop the threat as second-stage malware.
However, researchers point out that the most common cause of ransomware infections is the phishing message. Whether through emails or instant messages, criminals exploit the current news and events to create socially-engineered traps. These tricksters also deploy a technique called "spoofing" to make their malicious messages seem sent from legitimate sources.
How Does CoderWare Ransomware Operate
Upon infiltration, CoderWare will establish persistence by creating entries in the system registry. The ransomware will also attempt to prevent quick file recovery operations by deleting the shadow volume copies (automatic backups used by Windows OS).
CoderWare will also launch a scan that detects the user-generated files, such as pictures, databases, archives, and presentations. The threat is looking for files containing valuable information that could be used as leverage in future ransom negotiations.
The ransomware will use cryptographic algorithms to encrypt the detected files and restrict the user's permissions. This oration won't delete the data but will instead "lock" it so that it is inaccessible to the user.
As a final step of the encryption operation, CoderWare will rename the corrupted files by adding the".DEMON" extension to them. For example, a file named "presentations.rar" will be renamed to "presentations.rar.DEMON."
Ransom Demands
Upon completing the file encryption procedure, CoderWare will display a pop-up window and create a text file called "README.txt," both of which contain a ransom demanding message.
Ransom Note Text:
whatsap: +63 997 401 3126”
“hey Down!
Seems like you got hit by CoderWare ransomware!
warning: take a screenshot of this place. If you lose the information here, you'll never get to us. and it would be impossible to get your dosys
Don't Panic, you get have your files back!
CoderWare uses a basic encryption script to lock your files.This type of ransomware is known as CRYPTO.
You'll need a decryption key in order to unlock your files.
Your files will be deleted when the timer runs out, so you better hurry.You have 10 hours to find your key
When you pay >>> 1000$ <<< to the Bitcoin address below,
you will need to send a single as proof to our e-mail address,
and if the receipt is correct, your code to decrypt our files to your e-mail address. It will be sent back to you via e-mail.
But you have to be quick for that. Because you have 10 hours. If you do not pay within 10 hours, your files will be permanently deleted.
And it would be out of reach again. If you don't know how to get bitcoin.
hxxps://buy.moonpay.io
can quickly get your credit or debit card online from the website.
Please type the bitcoin address shown on the screen in the wallet field on the website. If you try to shut it down by force,
you'll lose your dosys. because if you lose your bitcoin address,
you won't be able to pay. and you'll never get your files back.
email: tuhafcoderus@protonmail.com
bitcion Adress : 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K
telegram : @Codersan
CoderWare's ransom note contains detailed instructions on how a ransom should be paid. Victims are told to transfer $1,000-worth of Bitcoin to a specified cyber wallet. Upon completing the transaction, they are instructed to prove that the payment is successful by forwarding the transaction receipt to the tuhafcoderus@protonmail.com email address.
Victims have only 10 hours to finalize the payment transaction. They are warned that the only decryption key will be permanently deleted if they fail to meet the tight deadline.
However, researchers advise against paying the ransom as such actions will encourage the criminals to continue their illegal operations.
Data recovery
Sadly, as CoderWare was discovered only recently, there are no alternative decryption tools for its lock yet. Of course, backups stored on external and cloud devices could be used for data recovery.
However, victims are recommended not to get in touch with the threat operators because these criminals are experienced manipulators who promise miracles but rarely deliver.
Practice shows that when ransomware victims face challenges with the decryption procedure, the criminals often choose to ignore their pleas. Experts explain that this could be due to the fact the threat operators are people who lack the technical skills to provide support to their victims. It is also possible that the criminals focus their attention on finding new victims rather than wasting time with the ones who already paid.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.