Ransomware removal experts have found yet another ransomware knocking on the door. It’s known by its email address ssimpotashka @gmail.com and is inspired from Scarab Ransomware, to which it bears many similarities. It has been operating since May but only detected recently by ransomware removal experts.
Ransomware removal experts think that the authors of the Scarab Ransomware have managed to create a RaaS (Ransomware-as-a-Service) application and deployed it into the Deep Web where a cybercriminal group managed to modify it as email@example.com. Deep Web or Dark Web is an illegal market place that can only be viewed through TOR browser and acts as the leading platform for the most dangerous cybercriminals.
Analysis of Ssimpotashka @gmail.com Ransomware
Like other ransomware of this kind, the ‘ssimpotashka’ ransomware enters a computer system stealthily and starts working before users can detect it. The virus deletes its components once it manages to encrypt users’ files. This is the reason it is hard for anti-ransomware tools to discover it.
The ransomware particularly targets the Temp folders in the computers and proceeds to encrypt videos, audios, text files, office documents and database records. The ‘ssimpotashka’ also manages to modify the extension of encoded files to its own extension “.Ssimpotashka@gmail.com”.
The malicious encryption of files is followed by a ransom note, notifying that the files of the users are now encrypted. A unique ID is given to the victims for future communication. Further communication is encouraged through the email Ssimpotashka@gmail.com. Victims are asked to pay a ransom in exchange for return of their files to their original state and also to remove ransomware.
In order to demonstrate their hold over the data, the hackers offer to decrypt any three unimportant files. The message ends with a warning to refrain from using any anti-ransomware software as well as a reminder to pay the ransom in two days. Failure to accept ransom demands is threatened with irreparable loss of data.
The ransomware usually spreads through malicious email attachments. P2P services like Torrent are also one of the medium used by these hackers. Moreover, the ransomware is also part of several fake software installers available on the internet.