Encryptd Ransomware Description
The Encryptd Ransomware is a crypto-virus named after the extension it adds to every file it affects - .encryptd. However, there were scarce details about its overall behavior. Nevertheless, some of its features give researchers a clue in what the .Encryptd Ransomware may be all about.
After bringing the encryption process to a successful end, this ransomware appends the ‘.encryptd’ suffix to damaged data and generates a ransom note. The latter is a text file dubbed 'README_FOR_DECRYPT.txt,' and its content is as follows:
'All your data has been locked(crypted).
How to unclock(decrypt) instruction located in this website: http://126.96.36.199/order/[redacted 32 byte alphanum]
Or this TOR website: http://yehc74wh3f5p2sbw.onion/order/[redacted 32 byte alphanum]
Use TOR browser for access .onion websites.
Do NOT remove this file and NOT remove last line in this file!
WIN ID: [redacted base64 of ID]'
In light of the aforementioned encryption suffix, title, and content of the ransom note, the new .Encryptd Ransomware may be, in fact, an updated version of another ransomware strain, which popped up in June 2019. The threat in question is well-known among security researchers under different names – eCh0raix Ransomware, QNAP-NAS-Encrypt, and Synology-NAS-Encrypt. While the eCh0raix/QNAP/Synology threat appended a slightly different extension to infected data - '.encrypt' – its ransom note was practically identical to the new one, both in terms of name and contents. If this string of coincidences is anything to go by, the new .Encryptd Ransomware may just be an updated variant of the one, which came to prominence in mid-2019. Back then, the crooks behind the threat used it to infect unprotected NAS devices predominantly by hijacking their default admin login credentials. The attack then went on to encrypt 500 file types across the entire network approximately, including MS Office docs, PDF files, OpenOffice, multimedia (music, photos, videos), databases and backups, to name but a few.
Following successful encryption, the hackers urged victims to use the Tor anonymity network to communicate with them. Thanks to that communication, they would learn that they had to pay a ransom of 0.5 – 0.6 Bitcoin eventually to receive a decryption key for their AES-256-CFB encrypted data.
Last but not least, the new .Encryptd Ransomware strain may not be the only updated eCh0raix/QNAP/Synology variant. In September 2019, researchers came across the Muhstik crypto-virus, whose ransom note bore the same name – README_FOR_DECRYPT.txt.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Encryptd Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.