DataWait Ransomware

The DataWait Ransomware is an update of 'savefiles@india.com' Ransomware and possible member of the STOP Ransomware family. Characteristics of infection include being unable to open your files due to their suffering from encryption (such as a combination of AES and RSA), new extensions on these files, and the appearance of ransoming messages telling you to contact the criminal admin. Use anti-malware products for infection prevention or deleting the DataWait Ransomware and keep backups on other devices for your media's safety.

As Trojans Update, 'Saving' Your Files Becomes 'Waiting' on Them

The September analysis of the 'savefiles@india.com' Ransomware has yet to lapse into irrelevancy, as malware researchers find signs of new samples of this threat's live distribution. The new version, the DataWait Ransomware has some minor changes to the ransoming instructions and, also, provides further clues hinting to its overarching relationship to the Ransomware-as-a-Service family of the STOP Ransomware. Users already are being targeted for having their files locked and the decryption key offered in return for a ransom payment, although the method of infection is speculative.

The DataWait Ransomware uses a traditional, non-consensual encryption routine, such locking a file's data with AES and protecting the generated key to it with RSA, which it runs as a hidden, background process. Changes from the months-older 'savefiles@india.com' Ransomware attacks include a new extension (shown in this file-locker Trojan's name) for the blocked media, as well as other alterations to the ransoming message. Without any further changes that malware experts see no evidence of, the DataWait Ransomware only endangers documents, images, and similar media types, and doesn't harm the OS, except, potentially, by wiping your Windows backups.

The threat actors are using Notepad text files for their ransoming demands for the only decryption solution to the DataWait Ransomware infections. Unlike earlier variants, the DataWait Ransomware doesn't ask for a specific amount of money, and, instead, offloads the payment details to the e-mail-based negotiations. It does, however, offer a limited 'sample' of the unlocking service and claims that paying within three days will provide a discount to the victim, which is a more 'positive reinforcement' style of socially-engineered manipulation than those of most file-locker Trojans.

Ample Justification for Waiting before Ransoming

Even with a friendlier-sounding ransoming service, the DataWait Ransomware runs the risk of being a possible hoax, with threat actors taking their money without unlocking your files. You may provide samples to appropriate cyber-security specialists for determining if a decryptor's free development is possible, and backups are especially effective at blocking the bargaining leverage of these Trojans. In some cases, the DataWait Ransomware may not erase the Windows Shadow Volume Copies comprehensively, which opens up other restoration possibilities for your files.

Other than remaining Windows-based programs, samples of the DataWait Ransomware have minimal information available for enlightening its campaign's infection techniques or preferences of victims. Threat actors could target network administrators with brute-force attacks or disguised e-mail attachments, distribute the DataWait Ransomware through free-downloading resources like torrents, or use exploit kits that abuse not-yet-patched security oversights. Users should install their patches promptly, avoid sources of illegal downloads, and keep an anti-malware program available for detecting and deleting the DataWait Ransomware automatically.

The DataWait Ransomware's update from 'savefiles@india.com' Ransomware shows a change in ransoming strategy that hides the price from you. While the precise ransom sum may be mysterious, it can't help but be more than anyone should be willing to pay, compared to the cost of making a backup.