FORCE Ransomware Will Hold Your Files Captive

Our team of researchers came across the FORCE ransomware variant while conducting a routine examination of new file samples. FORCE belongs to the Phobos ransomware lineage.

During testing on our experimental system, FORCE successfully encrypted files and then demanded payment for their decryption. The names of the encrypted files were altered to include a unique identifier assigned to the victim, the email address of the cybercriminals, and a ".FORCE" extension. For instance, a file originally named "1.jpg" would appear as "1.jpg.id[9ECFA84E-3545].[data199@mailum.com].FORCE".

Following the encryption process, identical ransom notes were generated – one in the form of a pop-up ("info.hta") and the other as a text file ("info.txt"). These messages were deposited onto the desktop and distributed across all directories containing encrypted files.

The ransom notes associated with FORCE indicate that the victim's files have been encrypted and sensitive data has been compromised. To decrypt the files, a ransom payment in Bitcoin cryptocurrency is demanded. Failure to comply with these demands would result in the leaked information being sold. Before making any payments, the victim is offered the opportunity to test the decryption process for free, albeit with certain limitations.

These messages caution against altering the encrypted files or utilizing third-party recovery tools, as doing so could render the data permanently inaccessible. Furthermore, the victim is warned that seeking assistance from external parties could exacerbate their financial losses.

FORCE Ransom Note in Full

The complete text of the FORCE ransom note reads as follows:

Your files are encrypted.

AYour data has been compromised, important data has been stolen for the next sale in case of non-payment. But you have the opportunity to return everything.
Write to e-mail: data199@mailum.com
Write this ID in the title of your message -
Or write us to the TOX messenger: F9B62A229F748C0211804208C4229133B1D395CC746C3ACBF80255D2E4484F03306DA0FE3ACB
You can download TOX messenger here hxxps://tox.chat/
Payment for decryption is accepted only in Bitcoin. After payment, I will provide you with the key and complete decryption instructions.

Free decryption as guarantee
Decryption guarantee: you can send to me any 2 files with SIMPLE extensions(jpg,txt,doc, not databases!) and low sizes(max 1 mb), i will decrypt them and send back to you. This is my guarantee.
I don't want to deceive you, I want to earn money. You pay me and continue your work. My honest name is more important than a one-time deception.

How to obtain Bitcoins
Contact me and I will give you instructions on how to purchase bitcoins.

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The intermediary can also convince you that they can restore your data themselves without contacting us, this is not true, any recovery takes place only with my key.

How is Ransomware Commonly Distributed Online?

Ransomware is commonly distributed online through various methods, including:

Phishing Emails: Hackers send deceptive emails containing malicious attachments or links. These emails often impersonate legitimate entities or organizations, enticing recipients to open the attachment or click on the link, which then installs the ransomware on their system.

Malvertising: Malicious advertisements displayed on legitimate websites can redirect users to websites hosting exploit kits, which in turn deliver ransomware onto the victim's device through vulnerabilities in their software.

Exploit Kits: These are packages of pre-written code that exploit vulnerabilities in outdated software or operating systems. When users visit compromised websites or click on malicious links, exploit kits silently download and install ransomware onto their devices.

Remote Desktop Protocol (RDP) Attacks: Attackers gain unauthorized access to systems with weak or default RDP credentials. Once inside, they deploy ransomware directly onto the compromised network, often causing widespread damage.

Drive-by Downloads: Malicious code is injected into legitimate websites, causing visitors to unwittingly download ransomware onto their devices simply by browsing the site.

Software Vulnerabilities: Ransomware authors exploit vulnerabilities in software or operating systems to gain unauthorized access to systems and install ransomware without the user's knowledge or consent.

Peer-to-Peer (P2P) Networks: Ransomware may be disguised as cracked software or pirated content distributed through P2P networks. Unsuspecting users download and execute these files, unknowingly infecting their systems with ransomware.