Researchers recently discovered a new Dharma variant wreaking havoc on unsuspecting users. Dubbed Cve, the new ransomware is classified as a high-level threat as it is designed to encrypt data and extort payments from its victims.
About Cve Ransomware
Upon infiltration, Cve will launch a scan that detects user-generated data. The ransomware targets files that could contain important information, such as databases, spreadsheets, pictures, archives, etc.
Cve will use advanced cryptographic algorithms to lock the target data and prevent the user from accessing it. It will then rename the files following the pattern: [original name].[original extension]. [victim ID].[criminals’ email address].cve. For example, a file named "taxes.xls" will be renamed to "taxes.xsl.id-CS238sa34.firstname.lastname@example.org.
Additionally, the ransomware will execute multiple commands to establish persistence and delete all backups.
Cve is developed to generate revenue by blackmailing its targets. To make sure that the victims get the message, Cve will save ransom-demanding notes called "FILES ENCRYPTED.txt" in every folder containing corrupted data. Additionally, it will display a pop-up window that contains payment instructions.
Ransom Note Text:
“All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.”
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.”
Victims are instructed to contact the criminals via email. The messages should be addressed to email@example.com or firstname.lastname@example.org email addresses and must include the victim's ID, which is mentioned in the ransom note.
The ransom note doesn't specify an exact ransom amount. However, it states that the payment is expected in BitCoin, the amount of which depends on the victim's willingness to pay quickly.
Victims are offered free decryption of one file as proof that decryption is possible. Victims can attach small files (up to 1MB) to their email messages.
Additionally, victims are warned not to rename their files and to refrain from using third-party decryption tools as such action could lead to data loss.
How Cve Travels the Web
Hackers commonly distribute ransomware threats through targeted brute-force attacks. Cve, however, is different. This threat is spread via mass-distribution methods that target a broad spectrum of potential victims.
Cve could reach its victims through spam emails, corrupted links, pirated/cracked software, and malicious ads. Trojans could also deliver the ransomware as a second-stage malware.
Security researchers say that most cyber infections, ransomware included, are preventable. The criminals target unprepared users who don't do their due diligence. The key to an infection-free computer is caution. Users are advised to apply the best security practices and to keep their computers updated with the latest security updates.