Diamond (Duckcryptor) Ransomware Will Lock Your Files

While going over newly discovered malicious file samples, our researchers came across the Diamond ransomware, also known as Duckcryptor. This malicious software is engineered to encrypt data and demand payment for its decryption.

On our testing environment, the Diamond ransomware encrypted files and appended a ".[Dyamond@firemail.de].duckryptor" extension to their filenames. For instance, a file originally named "1.jpg" would appear as "1.jpg.[Dyamond@firemail.de].duckryptor", while "2.png" would become "2.png.[Dyamond@firemail.de].duckryptor", and so forth.

Following encryption, the ransomware altered the desktop wallpaper and generated two ransom notes named "Duckryption_info.hta" and "Duckryption_README.txt". Although these notes feature different text, they convey a similar demand: the victim must pay a ransom in Bitcoin cryptocurrency to recover their encrypted files. Before complying with the ransom demands, the victim has the option to test decryption on up to two files, subject to certain specifications.

The ransom notes caution against attempting manual decryption or using third-party tools, as these actions may lead to permanent data loss. The accompanying text file elaborates further on the risks associated with seeking assistance from third parties.

Diamond (Duckcryptor) Ransom Note Pop-Up

The pop-up produced by the ransomware contains the following text:

Diamond Ransomware
All your files have been Encrypted

What Should i Do? If you want to restore them, Write us a E-mail: Dyamond@firemail.de
Include this ID on your Message: {Username}
In case of no answer in 24 hours write us to this e-mail: reopen1824@firemail.de

How can I buy bitcoins?You can buy bitcoins from all reputable sites in the world and send them to us.
Just search how to buy bitcoins on the Inter, sans-serifnet. Our suggestion is these sites.binance.com | localbitcoins.com | bybit.com

What is your guarantee to restore files?
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us.
Its not in our Inter, sans-serifests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc) and low sizes(max 2 mb) we will decrypt them and send back to you. That is our guarantee.

Attention!
Do not try to decrypt your data using third party software, it may cause permanent data loss.

The ransomware produces another ransom note inside a plain text file, containing more or less the similar information and instructions.

How Can Ransomware Infect Your Computer?

Ransomware can infect your computer through various means, including:

Phishing Emails: One common method is through phishing emails that contain malicious attachments or links. These emails often appear legitimate and may impersonate trusted entities such as banks, government agencies, or well-known companies. Clicking on links or downloading attachments from these emails can lead to the installation of ransomware on your computer.

Malicious Websites: Visiting malicious or compromised websites can also expose your computer to ransomware. These websites may contain exploit kits that automatically download and install ransomware onto your system without your knowledge or consent.

Exploiting Vulnerabilities: Ransomware can exploit security vulnerabilities in outdated software or operating systems. Attackers take advantage of known vulnerabilities to infiltrate systems and deploy ransomware payloads.

Remote Desktop Protocol (RDP): Attackers can exploit weak or default passwords on Remote Desktop Protocol (RDP) connections to gain unauthorized access to computers and deploy ransomware.

Malvertising: Malicious advertisements, or malvertising, displayed on legitimate websites can redirect users to malicious websites hosting ransomware or exploit kits.