CLUB Ransomware

The CLUB Ransomware is yet another member of the ever-growing Dharma Ransomware family. There is nothing special about the CLUB Ransomware, particularl, that would set it apart from its cousins, except the bad actors using a different contact email and the encrypted files receiving a different extension.

Otherwise, the CLUB Ransomware behaves like other Dharma clones – it encrypts a large number of file types on the victi's computer, makes them inaccessible, and then demands payment in Bitcoin to supposedly restore access to them.

In this particular version, the encrypted files get a modified filename and receive the '.club' extension. The result of this is that a file that was named "ledger.pdf" originally will become "ledger.pdf.[admin@stelsdatas.com].club." Once the files are compromised, the ransomware drops its ransom note, contained in a file called "FILES ENCRYPTED.txt."

Additionally, the CLUB ransomware also displays a pop-up message to its victims that reads as follows:

'YOUR FILES ARE ENCRYPTED

Don’t worry,you can return all your files!

If you want to restore them, follow this link email: admin at stelsdatas dot com

If you have not been answered via the link within 12 hours, write to us by e-mail: admin at stelsdatas dot com

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The bad actors behind the CLUB Ransomware have not specified the ransom sum they demand, and victims need to contact them first to find out. Of course, there is no guarantee that the hackers would ever provide a decryption tool, even if the ransom is paid. Currently, there is no available decryption tool that can restore the files scrambled by the CLUB Ransomware.