Drweb Ransomware
The Drweb Ransomware is one of the latest crypto locker malware variants to be spawned from the Dharma Ransomware. Dharma was first detected back in 2016 and at the time was just a variant of another ransomware threat called CrySiS. Since the start of 2019, however, cybersecurity researchers have been seeing more and more Dharma variants come into existence with minimal differences between them apart from the used file extension and email address constantly.
The Drweb Ransomware also follows this pattern. After infiltrating the victim's computer, most likely through spam emails carrying compromised attachments, it will start encrypting all widely used file types with the RSA1024 encryption algorithm. The encrypted files may have a unique identification number added to their names, and will always have ".drweb" appended as a new extension. The Drweb Ransomware will then attempt to extort money from the affected users in exchange for the restoration of the files. A ransom note instructing the victims of the Drweb Ransomware to contact the email address "dr.web24@aol.com" will be displayed. The crooks even offer to decrypt one file for free as a demonstration of their ability to restore the files that they have taken hostage effectively.
Dealing with the aftermath of a ransomware attack may not be an easy task. The most important thing is never to send money to the criminals, as this will only encourage them to continue creating malware threats. Not to mention that there is zero guarantees that they will not simply take the money and move on without sending the necessary decryption tool. Instead, victims of ransomware should first remove the threat from the infected computers by using a professional anti-malware program and then attempt to restore the encrypted files from a backup that has been created before the ransomware attack.
The criminals behind the Drweb Ransomware may have decided to use the name of a legitimate Russian anti-virus developer as an extension for their malware.
The full text of the ransom note is:
'All FILES ENCRYPTED “RSA1024”
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL dr.web24@aol.com
IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:dr.web24@aol.com
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.