Cybersecurity researchers issued a warning regarding a new ransomware threat called DUSK 2. The threat is a variant of the dangerous Dusk ransomware, which popped up on the malware scene only recently, in late September 2020.
Upon successful infiltration, DUSK 2 will launch a scan that detects user-generated files on a computer, such as pictures, databases, archives, and backups. The threat searches for files that could contain valuable information and could be used as leverage in ransom negotiation.
DUSK 2 then uses advanced cryptographic algorithms to encrypt the detected files and prevent the user from accessing them. Researchers note that this process doesn't destroy the data but rather "locks" it, restricting the user access.
As a step in its encryption process, DUSK 2 will rename the successfully locked files by adding the ".DUSK" extension to them. For example, a file named "March-Invoice.pdf" will be renamed to "March-Invoice.pdf.DUSK."
DUSK 2 will keep all ".DUSK" files as hostages until the victim pays a ransom. Files named "README.txt," which are saved to every folder containing encrypted files, present the victim with a ransom-demanding message.
Ransom Note Text:
$$$$$$$\ $$\ $$\ $$$$$$\ $$\ $$\
$$ __$$\ $$ | $$ |$$ __$$\ $$ | $$ |
$$ | $$ |$$ | $$ |$$ / \__|$$ |$$ /
$$ | $$ |$$ | $$ |\$$$$$$\ $$$$$ /
$$ | $$ |$$ | $$ | \____$$\ $$ $$<
$$ | $$ |$$ | $$ |$$\ $$ |$$ |\$$\
$$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | \$$\
\_______/ \______/ \______/ \__| \__|
\__/ $$ |
All your files have been encrypted using military grade encryption algorithms!
They cannot be decrypted without our securely generated key.
The only thing you can do now is buy your key and decryptor.
The price is 80 USD.
The only payment method we accept is BitCoin.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
How to contact you for the payment?
We use E-Mail to contact with our customers.
When contacting us please send your personal ID that can be seen at the end of the message.
Our main e-mail is:
Our backup e-mail is:
Write to our backup e-mail only when you don't receive reply from our main e-mail in 48 hours.
Why do we do that?
We Are anonymous good people. We will transfer 75% of what we earn for good purposes.
If you're so evil
If you're evil and don't trust us you can send up to 2 files for free decryption. They can't weigh more than 2 MB (non-archived).
Do not try restore files without our help, this is useless and you may lose data permanetly
Do not rename encrypted files!
Do not use third party "decryptors"
Do not try to remove our heavenly software using evil AntiVirus or AntiMalware software
Personal ID ---”
Additionally, the ransomware changes the desktop wallpaper to a message that urges the victim to open the "README.txt" file.
Desktop Wallpaper Text:
Your files have been encrypted and they're now inaccessible!
But there's still a hope for you”
DUSK 2's ransom note is a straightforward message, which informs the victim that their data is recoverable.
While the decryption price is set to $80 worth of BitCoin, victims are instructed to contact the criminals before making the payment. Their messages are to be addressed to either the firstname.lastname@example.org or email@example.com email address. Victims can also attach two small files to their letters, which will be decrypted as proof that the software works.
Additionally, the note lists several warnings that instruct the victim to refrain from using "evil" anti-virus and anti-malware tools.
As DUSK 2 was discovered only recently, no third-party decryptor is available to unlock the encryption. The good news is that the ransomware is yet to be analyzed. Flaws in its code could allow researchers to come up with decryption software soon.
In the meantime, users are advised not to get in touch with the threat operators. These criminals are experienced manipulators who know how to get what they want.
Practice shows that ransomware operators often double-cross their victims. There are multiple cases of victims who paid the ransom are and instantly blackmailed for more. There are also instances of victims who received nonfunctional decryption tools. Of course, more often than not, victims are ignored if an issue pops up.
Furthermore, victims should also bear in mind that by paying the ransom, they not only risk losing money but also encourage criminals to expand their malicious business.
Victims can recover their files using data backups. As DUSK 2 deletes the Volume Shadow Copies, no quick solution is available. However, backups stored on external and cloud storage can be used.
Experts warn that before any file-recovery operation is attempted, the ransomware must be removed. Otherwise, DUSK 2 will corrupt the backup device and encrypt the data saved on it.
Like plenty of other ransomware threats, DUSK 2 relies on mass-distribution techniques, such as malicious emails, fake updates, corrupted links, and torrent platforms.
Researchers warn that criminals use various social engineering tricks to lure naive users into unwanted actions. Only good cyber hygiene can prevent these tricksters from infecting more devices.
Therefore, users are strongly recommended to follow the best security practices diligently.