WELL Ransomware

The WELL Ransomware is a strain of a larger ransomware family, known as Dharma Ransomware. The WELL Ransomware behaves more or less like other variants of the Dharma family; the WELL Ransomware encrypts the victim's files and leaves them inaccessible, demanding ransom payment.

Any file encrypted by the WELL Ransomware receives a '.well' extension and has its previous filename modified. In this way, an image named "campfire.jpg" will become "campfire.jpg.id-[victim id].[mewellwisher@protonmail.ch].well."

The WELL Ransomware drops its ransom demand in a file named "FILES ENCRYPTED.tx." The full content of the ransom note is as follows:

'All your data has been locked us

You want to return?

Write email mewellwisher at protonmail dot ch or iamwellwisher at tutanota dot com.

The ransomware will also display a pop-up window, containing the following text to scare its victims into submission:

YOUR FILES ARE ENCRYPTED

Don't worry, you can return all your files!

If you want to restore them, follow this link: email mewellwisher at protonmail dot ch YOUR ID -

If you have not been answered via the link within 12 hours, write to us by e-mail:iamwellwisher at tutanota dot com

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The ransom note and the pop-up window never mention the sum of the ransom, but as with all other ransomware strains, there is no guarantee that the victims would get their files back, even if they decided to pay the ransom.