VoidCrypt Variant K2 Ransomware Holds User Files at Ransom

A new variant of the destructive VoidCrypt ransomware has been spotted by researchers encrypting user computers and holding them for ransom. The latest threat, dubbed K2 ransomware, is an efficient file-encrypting malware capable of attacking both business and home users alike.

Users are warned that despite the plethora of malware distribution tricks, the most common cause of ransomware infections is phishing. Criminals use multiple platforms, including emails, social media, and chat platforms, to target a broad spectrum of potential victims.

Users should also bear in mind that a technique called “spoofing” is often deployed to make malicious messages appear to be from legitimate sources. Therefore, experts recommend all unexpected messages to be treated as potential threats.

How Does K2 Ransomware Operate

Upon infiltration, K2 will establish persistence by adding entries in the system’s registry. The threat will also launch a scan that detects the user-generated files, such as pictures, archives, documents, and databases.

K2 ransomware looks for files that could contain valuable information to leverage for a ransom. The file-locker will apply advanced cryptographic algorithms to encrypt the target files and prevent the victim from accessing their own data.

K2 will not delete the information saved in the files but will rather “lock” it and make it unavailable to the user and the OS. However, as K2 needs the host device to remain operational, it will not corrupt any OS-related files. The threat will also whitelist a file named “!INFO.HTA,” which contains a ransom-demanding message.

As a final step of its encryption process, K2 ransomware will rename the successfully encrypted files by following the pattern: [Original File Name].[Original File Extension].[Threat Operators’ email Address].[Random String of letters and digits that acts as a victim’s ID].[Ransomware Rxtension].

For example, a file named “User-Manual.pdf” could be renamed to “User-Manual.pdf.helpforfiles@xmpp.es.HKUYTFH6JH.k2.” 

Meanwhile, K2 ransomware will attempt to prevent file recovery by executing commands that delete any volume shadow copies.

Ransom Demands

Upon completing the file encryption procedure, K2 ransomware will drop its ransom note in the form of a file named “!INFO.HTA.”

Ransom Note Text:

K2’s ransom note informs the victim of their dire situation and offers a solution, for a price.

However, instead of being asked for a specific sum, victims are instructed to contact the threat operators via email. They are told to use either the helpforfiles@xmpp.es or helpforfiles@cock.li email address. Their messages could contain a couple of encrypted files that will be recovered as proof that the decryption software works.

Of course, this “generous” offer has a catch. Victims can send only small files that don’t contain valuable information.

Data Recovery

Sadly, as K2 ransomware was discovered only recently, no alternative decryption software is available for it yet.

However, cybersecurity experts recommend against involving the threat operators. Victims are warned that they are dealing with professional criminals, experienced in victim manipulation.

Ransomware operators are very likely to ignore their victims once the ransom payment is made. Practice also shows that victims who paid hefty ransoms often get blackmailed for additional payments.

Backups saved on external or cloud storage could be used for safe data recovery. However, victims are advised to remove the ransomware before they connect any external device to the infected machine. Otherwise, K2 ransomware could corrupt the backup device and encrypt the data saved on it.