Professeur Ransomware
The Professeur Ransomware is a new strain of file-encrypting malware based on the infamous Jigsaw Ransomware. The email address (zemblax@protonmail.com) displayed in the ransom note suggests that it's distributed by the threat actors behind two other Jigsaw-based threats – Zemblax and ElvisPresley.
What's Special about the Professeur Ransomware?
Being new relatively, it's still not completely clear how the hackers are distributing the Professeur Ransomware, but it's safe to say that they likely use one (or more) of the many different infection vectors like spam emails, torrents and illicit cracking tools. Once the infection is complete, the Professeur Ransomware deletes the Shadow Volume Copies on the host computer, modifies Windows' Registry to achieve persistence and starts encrypting the victim's files. Some Jigsaw offshoots are known to modify the PC's Master Boot Record, which means that deleting the threat is more difficult, but fortunately, the Professeur Ransomware hasn't displayed that behavior so far.
The encrypted files receive a '.Professeur' extension, and a pop-up displaying the ransom note appears. Here's the note itself:
'All Your Files Has Been Locked!
Your personal files are being deleted. Your photos, videos, documents, etc. . .
But All of your files were protected by a strong encryption.
This means that we can decrypt all your files after paying the ransom.
Every hour I select some of them to delete permanently,
You Have 1day to Decide to Pay.
after 1 Day Decryption Price will be Double.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer or try to close me, when I start next time
you will get 5 files deleted as a punishment.
If you want to unlock your data
You Can Learn Decrypt Instructions
click on the button: HOW TO DECRYPT FILES?
Contact us: zemblax@protonmail.com
1 file will be deleted.
View encrypted files
Please, send at least $50 worth of Bitcoin here:
1C1pAkwpvuxr4ZxzqHSeTLpFGQMDMJKS3U
How To Decrypte Files !'
As you can see, to entice the victims into paying the ransom, the hackers warn them that if they don't act quickly, some of the files are going to get deleted. According to the note, if the ransom isn't paid within 24 hours, "a few" files will be wiped out. The punishment for not paying within 48 hours is bigger: a few thousand deleted files and a doubling of the ransom demand. Further delays will allegedly result in yet more lost data, and if the user tries to ignore the warnings and close the pop-up, five files will be wiped from the hard drive immediately.
Unfortunately, the Professeur Ransomware has the capabilities of materializing the threats. When it first appeared in 2016, the Jigsaw Ransomware stood out from the crowd immediately with its ability to delete data in addition to encrypting it, and all variants based on this family also are capable of doing it virtually. Fortunately, the Professeur Ransomware has inherited another one of Jigsaw's characteristics.
Decrypting the Files Encrypted by the Professeur Ransomware
The Professeur Ransomware operators ask for just $50 in BTC for the decryption of the files, but a quick look at https://www.blockchain.com/btc/address/1C1pAkwpvuxr4ZxzqHSeTLpFGQMDMJKS3U, their wallet address reveals that at the time of writing, not a single victim has complied with their demands. Hopefully, the wallet will remain empty not only because ransomware victims should always avoid negotiating with the crooks, but also because the files encrypted by the Professeur Ransomware can be decrypted for free.
Jigsaw's original developers made a mistake when creating the encryption mechanism, which means that shortly after its release, security experts managed to create a free decryption tool that lets users retrieve their data without paying the ransom. Later, the ransomware was open-sourced, and variants like the Professeur Ransomware started appearing. The original decryptor didn't work with all of them, but it was later updated, and it is now capable of retrieving data encrypted by a number of different Jigsaw-based ransomware variants, including the Professeur Ransomware.
If you fall victim to this particular ransomware strain, you should not pay the ransom, and you should instead look for the publicly available decryptors that can unscramble the data for you. Just make sure you do it before the Professeur Ransomware starts deleting your files.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.