'pizdasobaki@protonmail.com' Ransomware

The 'pizdasobaki@protonmail.com' Ransomware is a file-locker Trojan that encrypts your PC's media so that it can't open and profits by selling the decryption solution. The users shouldn't assume that decryption is possible or guaranteed by paying the ransom, and backups are the favored recovery choice for those who have them. Windows users can protect their PCs with compatible anti-malware software for removing the 'pizdasobaki@protonmail.com' Ransomware upon its identification as a threat.

Tests of a File-Locker Trojan's Campaign-in-Waiting

The independent cyber-security researcher GrujaRS is pulling back the curtain on a file-locking Trojan that, unusually, but not uniquely, isn't a part of families like the half-Russian Scarab Ransomware or Utku Sen's discontinued Hidden Tear. The 'pizdasobaki@protonmail.com' Ransomware, also referenced under the name of 05ntoar0 Ransomware, is preparing what looks like a standard payload strategy of encrypting files and demanding Bitcoins from the victimized users. A semi-professional and multilingual ransoming infrastructure, however, helps set the 'pizdasobaki@protonmail.com' Ransomware above more low-level threats and imply the criminal's having long-term plans.

The 'pizdasobaki@protonmail.com' Ransomware encrypts the contents of a 'test' directory in its early builds, using a cipher that malware experts have yet to confirm. However, the speed of the operations suggests that the 'pizdasobaki@protonmail.com' Ransomware is utilizing the AES or another, similarly-efficient means of blocking documents and other files. Unusually, the 'pizdasobaki@protonmail.com' Ransomware also ignores some of the most commonly-blocked content, such as Excel spreadsheets.

The 'pizdasobaki@protonmail.com' Ransomware monetizes the attack by selling its unlocker through a locally-dropped Web page. The message includes an ID, a ransom of 0.5 BTC (or about one thousand, eight hundred USD) and three language options: Russian, English and Italian. Some builds of the 'pizdasobaki@protonmail.com' Ransomware, also, include Russian-language contact addresses, which could be a clue for the author's nationality. Its 'test' wallet link is a placeholder; therefore, the Trojan can lock files, but the victims can't pay for recovering them.

Why You Should Hoard Your Cryptocurrency All to Yourself

The preferences that file-locking Trojans like the 'pizdasobaki@protonmail.com' Ransomware show towards Bitcoin aren't coincidental. The absence of proper consumer protections and refunding policies prevent the users from having any recourse whenever the criminals take the ransom without giving back the decryption help that they claim they'll provide. The users who can't recover from backups should contact experienced PC security researchers for their assistance on all non-premium decryption possibilities.

Besides the oddity of some samples pretending that they're Chrome Program Information (or PIF) files, the 'pizdasobaki@protonmail.com' Ransomware's distribution exploits are a question for the future. Attacks from file-locker Trojans may occur after network administrators leave their systems open, thanks to poor login choices or forgetting to disable RDP. E-mail and torrents are other means of compromise by threats of this type, although nearly any dedicated anti-malware product should block and delete the 'pizdasobaki@protonmail.com' Ransomware from the outset.

This February-born Trojan thinks that your files are worth well over a thousand dollars for recovering. If that is, in fact, a legitimate assumption, then you should be backing them up in the first place and rendering the 'pizdasobaki@protonmail.com' Ransomware's encryption irrelevant.