A new member of the GlobeImposter ransomware family was spotted in the wild. Researchers warn of a file-locker called YAYA, which is designed to follow standard ransomware practices of keeping victims' data hostage until a ransom is paid.
YAYA uses a combination of advanced cryptographic algorithms to encrypt the detected files and prevent the user from opening them. This process won't wreck the data but will rather "lock" it so that it is inaccessible.
As a final step of the encryption process, YAYA will rename the corrupted files by adding the ".YAYA" extension to them. For example, a file named "August-Invoice.pdf" will be renamed to "August-Invoice.pdf.YAYA."
Additionally, YAYA executes commands that will establish its persistence on the machine and delete the Volume Shadow Copies. This makes it more difficult for users to restore their computers without assistance.
Upon completing the encryption process, YAYA will create a file named "how_to_back_files.html" that contains a ransom-demanding message.
Ransom Note Text:
“YOUR PERSONAL ID
YOUR FILES ARE ENCRYPTED!
TO DECRYPT, FOLLOW THE INSTRUCTIONS BELOW.
To recover data you need decryptor.
To get the decryptor you should:
Send 1 crypted test image or text file or document to firstname.lastname@example.org
(Or alternate mail email@example.com )
In the letter include your personal ID (look at the beginning of this document).
We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except firstname.lastname@example.org, will decrypt your files.
Only email@example.com can decrypt your files
Do not trust anyone besides firstname.lastname@example.org
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique encryption key”
YAYA's ransom note states that a decryption tool can recover the corrupted data for a price. It also offers free decryption of one file as proof that the software works.
While the decryption price is not specified, victims are instructed to contact the threat operators via email. Their messages are to be addressed to either the email@example.com or firstname.lastname@example.org email addresses and must mention the victims' IDs, which can be found in the ransom note.
Additionally, victims are warned not to use third-party decryption tools as there are scammers who offer nonfunctional software.
Sadly, as YAYA was only recently discovered, no third-party decryption software is available for its lock yet. However, researchers recommend against contacting the criminals.
Victims are warned that they are dealing with experienced manipulators who are unlikely to keep their part of the deal. Practice shows that ransomware victims are often ignored once the ransom is paid. There are myriads of cases of victims who paid and are immediately blackmailed for more.
Instead of paying the ransom, victims can recover their files from backups stored on external or cloud storage. Of course, the ransomware must be removed before any external device is connected to the host machine. Otherwise, YAYA will spread its corruption and encrypt the backup device.
Although ransomware threats are often deployed in targeted attacks, there is no evidence that YAYA was a man-operated attack.
Basic ransomware threats, such as YAYA, are usually spread through mass-distribution techniques. Criminals use spam emails, corrupted links, torrent platforms, phishing websites, and myriads of other tricks to lure their victims into unwanted actions.
Experts warn that the most common cause of cyber infections is nothing else but the victims' recklessness. Criminals prey on naive users who don't take time to do their diligence. The good news is that even a little extra attention goes a long way.
Therefore, users are recommended to do their part and maintain high cyber hygiene.