A new variant of the destructive VoidCrypt ransomware has been spotted by researchers encrypting user computers and holding them for ransom. The latest threat, dubbed K2 ransomware, is an efficient file-encrypting malware capable of attacking both business and home users alike.
Users are warned that despite the plethora of malware distribution tricks, the most common cause of ransomware infections is phishing. Criminals use multiple platforms, including emails, social media, and chat platforms, to target a broad spectrum of potential victims.
Users should also bear in mind that a technique called “spoofing” is often deployed to make malicious messages appear to be from legitimate sources. Therefore, experts recommend all unexpected messages to be treated as potential threats.
How Does K2 Ransomware Operate
Upon infiltration, K2 will establish persistence by adding entries in the system’s registry. The threat will also launch a scan that detects the user-generated files, such as pictures, archives, documents, and databases.
K2 ransomware looks for files that could contain valuable information to leverage for a ransom. The file-locker will apply advanced cryptographic algorithms to encrypt the target files and prevent the victim from accessing their own data.
K2 will not delete the information saved in the files but will rather “lock” it and make it unavailable to the user and the OS. However, as K2 needs the host device to remain operational, it will not corrupt any OS-related files. The threat will also whitelist a file named “!INFO.HTA,” which contains a ransom-demanding message.
As a final step of its encryption process, K2 ransomware will rename the successfully encrypted files by following the pattern: [Original File Name].[Original File Extension].[Threat Operators’ email Address].[Random String of letters and digits that acts as a victim’s ID].[Ransomware Rxtension].
For example, a file named “User-Manual.pdf” could be renamed to “User-Manual.email@example.com.HKUYTFH6JH.k2.”
Meanwhile, K2 ransomware will attempt to prevent file recovery by executing commands that delete any volume shadow copies.
Upon completing the file encryption procedure, K2 ransomware will drop its ransom note in the form of a file named “!INFO.HTA.”
Ransom Note Text:
“!!! Your Files Has Been Encrypted !!!♦ your files has been locked with highest secure cryptography algorithm ♦
♦ there is no way to decrypt your files without paying and buying Decryption tool♦
♦ but after 48 hour decryption price will be double♦
♦ you can send some little files for decryption test♦
♦ test file should not contain valuable data♦
♦ after payment you will get decryption tool ( payment Should be with Bitcoin)♦
♦ so if you want your files dont be shy feel free to contact us and do an agreement on price♦
♦ !!! or Delete you files if you dont need them !!!
♦Your ID :-
our Email :Helpforfiles@xmpp.es
In Case Of No Answer :Helpforfiles@cock.li”
K2’s ransom note informs the victim of their dire situation and offers a solution, for a price.
However, instead of being asked for a specific sum, victims are instructed to contact the threat operators via email. They are told to use either the firstname.lastname@example.org or email@example.com email address. Their messages could contain a couple of encrypted files that will be recovered as proof that the decryption software works.
Of course, this “generous” offer has a catch. Victims can send only small files that don’t contain valuable information.
Sadly, as K2 ransomware was discovered only recently, no alternative decryption software is available for it yet.
However, cybersecurity experts recommend against involving the threat operators. Victims are warned that they are dealing with professional criminals, experienced in victim manipulation.
Ransomware operators are very likely to ignore their victims once the ransom payment is made. Practice also shows that victims who paid hefty ransoms often get blackmailed for additional payments.
Backups saved on external or cloud storage could be used for safe data recovery. However, victims are advised to remove the ransomware before they connect any external device to the infected machine. Otherwise, K2 ransomware could corrupt the backup device and encrypt the data saved on it.