Last week, cybersecurity experts discovered a new variant of ransomware from the family of cryptojocker strains, called CryptoNar. Developers of CryptoNar ransomware have devised a detailed ransom note that pops up on the screen after the strain completes its cryptovirological activity.
As per the ransom note, CryptoNar operators have used the encryption algorithm of RSA-2048 for locking down the files on affected computers. The attackers have demanded $200 in Bitcoin for providing the decryption key. The operators also warn the affected users to pay the ransom money within three days after the attack. According to the note, the decryption key will expire after 72 hours and then no ransomware removal measure will be able to retrieve the encrypted files.
CryptoNar: Multiple encryption modules are used
One peculiar feature of this ransomware strain is that it uses more than one encryption module to encrypt the targeted files. For instance, text files (with extensions such as ‘.txt’ and ‘.md’) are encrypted from start to finish and get the extension ‘.fully.cryptoNar’.
On the other hand, all non-text files are encrypted partially and hence appended with the extension ‘.partially.cryptoNar’. It was initially believed that the newly discovered ransomware strain was in its testing phase and hadn’t affected any user. Later it was found that more than 100 users had already been affected by the strain before its discovery by cybersecurity researchers.
Not a single reported user has contacted the operators for ransomware removal. Therefore, we are not sure if operators are actually providing the decryption key after receiving the ransom payment. Luckily, security researchers have succeeded in cracking the encryption algorithm used by CryptoNar ransomware strain. So, the tall claims made by the cryptovirological attackers have turned out to be only fluff. The affected users are no longer required to resort to extortion payments for ransomware removal.