A variant of the infamous CONTI ransomware has been spotted wreaking havoc on the net. Researchers warn that the malware, dubbed XNMMP ransomware, is created for the sole purpose of extorting payments from unsuspecting victims.
Upon infiltrating an operating system, XNMMP will immediately launch a scan that detects the user-generated files. The ransomware is looking for files that could contain valuable information, such as databases, archives, pictures, documents, and spreadsheets.
Victims can quickly notice the corrupted files as XNMMP renames the successfully encrypted files by adding the ".TJODT" extension to them. For example, a document called "instructions.docx" will be renamed to "instructions.docx.TJODT."
Meanwhile, XNMMP will establish persistence by executing commands that modify the system registry. By doing so, the ransomware ensures that its malicious code will be loaded every time the OS is rebooted.
The XNMMP ransomware is designed to create files named "R3ADM3.txt" in every folder storing encrypted data. These odd text files won't get encrypted because they contain a ransom-demanding message addressed to the victim.
Ransom Note Text:
“All of your files are currently encrypted by CONTI ransomware.
If you try to use any additional recovery software - the files might be damaged or lost.
To make sure that we REALLY CAN recover data - we offer you to decrypt samples.
You can contact us for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first hxxps://torproject.org)
HTTPS VERSION :
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP.
XNMMP's ransom note informs the victim that their data is not lost and that solution is available for a price.
Instead of naming a specific ransom amount, victims are instructed to install the Tor web browser and access a web page, a link to which is provided in the ransom note.
Victims are warned that if they choose not to pay, their data will be leaked online. Although it has become a practice for ransomware operators to exfiltrate data and use it as leverage in ransom negotiations, there is no evidence that XNMMP ransomware is capable of stealing information.
As XNMMP ransomware was first detected only recently, the threat is not analyzed, so a third-party decryption tool is not yet available. However, experts recommend against paying the ransom.
Practice shows that ransomware operators are more likely to double-cross their victims than to keep their part of the deal. These experienced manipulators are known to use tricks to lure their victims into unwanted actions.
Experts also point out that by paying the ransom, victims not only risk losing money but also finance crime. Threat actors collect ransom payments to expand their illegal operations.
A bug in XNMMP could allow researchers to develop decryption software. If the user cannot afford to wait for such a tool to be created, file backups stored on external devices can be used for data recovery. Of course, victims are warned to remove XNMMP before any data recovery operation is attempted. Otherwise, the threat will spread its corruption to the backup device and encrypt the files saved on it.
Although ransomware threats are known to be deployed in human-operated attacks, XNMMP relies on mass distribution techniques that target a broad spectrum of potential victims. The virus lurks behind classic distribution tricks such as malicious emails, corrupted links, and fake updates. In rare cases, a trojan horse could deliver XNMMP as second-stage malware.
Experts explain that the most common cause of cyber infections is nothing else but unprepared users. Criminals create massive malspam campaigns that trigger emotion-driven behavior and push the victim into acting impulsively.
Good cyber hygiene can prevent these tricks from succeeding. Victims are recommended to treat all unexpected emails as potentially dangerous and to apply the best security practices.