ELITTE87 Ransomware Encrypts Infected Drives

During our examination of new malware samples, we uncovered ELITTE87, a variant of ransomware associated with the Phobos family. ELITTE87 encrypts files, alters filenames, and presents two ransom notes: a pop-up window and an "info.txt" file.

ELITTE87 modifies filenames by appending the victim's ID, helpdata@zohomail.eu email address, and ".ELITTE87" extension. For instance, "1.jpg" becomes "1.jpg.id[9ECFA84E-3492].[helpdata@zohomail.eu].ELITTE87", and "2.png" becomes "2.png.id[9ECFA84E-3492].[helpdata@zohomail.eu].ELITTE87".

The ransom note notifies victims that their data has been encrypted and downloaded by cybercriminals, who claim that only their software can unlock it. Victims are warned against attempting independent decryption or using third-party software, which may result in permanent data loss.

Furthermore, victims are discouraged from seeking help from intermediaries or data recovery firms, as it may exacerbate data loss or deception. The note assures victims that incidents of data leakage will be kept confidential, with assurances of data protection.

It pledges that once the ransom is paid, all downloaded data will be deleted from the cybercriminals' resources and assures that personal data will not be misused or sold. A deadline of 2 days is given for victims to contact the cybercriminals and commence the ransom transaction.

Failure to comply within this timeframe supposedly leads to data sharing with interested parties, placing the onus on the victim. Contact details are provided for communication with the cybercriminals, including specific instructions on how to reach them.

ELITTE87 Ransom Note Uses Traditional Phobos Layout

The full text of the ELITTE87 ransom note reads as follows:

Your data is encrypted and downloaded!

Unlocking your data is possible only with our software.
Important! An attempt to decrypt it yourself or decrypt it with third-party software will result in the loss of your data forever.
Contacting intermediary companies, recovery companies will create the risk of losing your data forever or being deceived by these companies.
Being deceived is your responsibility! Learn the experience on the forums.

Downloaded data of your company.

Data leakage is a serious violation of the law. Don't worry, the incident will remain a secret, the data is protected.
After the transaction is completed, all data downloaded from you will be deleted from our resources. Government agencies, competitors, contractors and local media
not aware of the incident.
Also, we guarantee that your company's personal data will not be sold on DArkWeb resources and will not be used to attack your company, employees
and counterparties in the future.
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed.
Your data will be sent to all interested parties. This is your responsibility.

Contact us.

Write us to the e-mail:helpdata@zohomail.eu
In case of no answer in 24 hours write us to this e-mail:email.recovery24@onionmail.org
Write this ID in the title of your message: -
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed.
Your data will be sent to all interested parties. This is your responsibility.

Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How Can Ransomware Similar to ELITTE87 Infect Your Computer?

Ransomware like ELITTE87 can infect your computer through various means, including:

Phishing Emails: Cybercriminals often distribute ransomware via phishing emails. These emails may contain malicious attachments or links that, when clicked, execute the ransomware code on your system.

Malicious Websites: Visiting compromised or malicious websites can expose your computer to ransomware. These sites may exploit vulnerabilities in your browser or plugins to download and install ransomware without your knowledge.

Exploit Kits: Cybercriminals may use exploit kits, which are packages of tools designed to exploit vulnerabilities in software, to deliver ransomware payloads to vulnerable systems. These kits can target known vulnerabilities in operating systems, browsers, or other software applications.

Drive-by Downloads: Ransomware can also be delivered through drive-by downloads, where malicious code is downloaded and executed on your system without your consent while visiting a compromised website.

Remote Desktop Protocol (RDP) Attacks: If you have Remote Desktop Protocol (RDP) enabled on your computer and it is not properly secured with strong passwords or multi-factor authentication, cybercriminals can brute-force their way into your system and deploy ransomware.

Malvertising: Malicious advertisements, or malvertisements, displayed on legitimate websites can redirect users to websites hosting ransomware or initiate downloads of ransomware payloads onto the user's system.

USB Drives: Ransomware can spread through infected USB drives or other removable media. Plugging an infected USB drive into your computer can result in the ransomware being executed and spreading throughout your system.

File-Sharing Networks: Ransomware can be distributed through file-sharing networks and peer-to-peer (P2P) file-sharing applications. Cybercriminals may disguise ransomware as legitimate software or media files to trick users into downloading and executing them.