SchrodingerCat Ransomware Demands BTC Ransom

ransomware

During a routine inspection of new files, our research team stumbled upon the SchrodingerCat ransomware, a variant of the GlobeImposter ransomware family. SchrodingerCat encrypts data and demands payment for decryption.

Upon testing, we observed that this ransomware encrypts files and appends a ".schrodingercat" extension to their names. For instance, a file named "1.jpg" would become "1.jpg.schrodingercat" after encryption, and so forth.

Following encryption, SchrodingerCat generates a ransom note named "how_to_back_files.html", indicating that it targets organizations rather than individual users. The note asserts that the victim's corporate network has been compromised, resulting in the encryption of its stored files.

To regain access to the encrypted data, the victim must purchase a decryptor, priced at 0.15 BTC, which equates to approximately ten thousand USD at the time of writing. The note advises against involving intermediaries and encourages direct negotiation with the attackers.

Refusal to pay the ransom carries the threat of the cybercriminals auctioning or leaking sensitive data stolen from the network. Furthermore, the criminals may reach out to the victim's clients, offering to sell their compromised information.

SchrodingerCat Authors Think of Themselves as a Business

The full text of the SchrodingerCat ransom note contains a lot of text and the hackers refer to themselves as "Nacugunder Corporation". The complete text goes as follows:

YOUR PERSONAL ID

ENGLISH
YOUR CORPORATE NETWORK LOCKED!

ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

TO RESTORE FILES YOU WILL NEED A DECRYPTOR!
To get the decryptor you should:
Pay for decrypt your network - 0.15 BTC

Buy BTC on one of these sites
hxxps://binance.com
hxxps://www.coinbase.com
Any site you trust

Bitcoin Wallet: 3Pvn*MLA5

Our contacts:
email: yourdatahelp@seznam.cz

ToxID: CA04B61C320C50D12A2C1B95B5062474B5C00B995B588D0B3781DC052CBF9A354CD10F96C84D

You can download TOXChat here : hxxps://tox.chat/download.html

The message must contain your Personal ID! it is at top of this document.

HOW IT WORKS.

If you need a decrypter or return information, please contact us directly ! The guarantee of successful deals is only a direct contact! Don't shy… It's just business for us and we are always ready for polite and mutually beneficial communication.

What's problem with intermediaries?!

Very often intermediaries take money for themselves, it looks something like this: You turn to an intermediary for help, who promises you huge discounts and professional solutions to problems. Afterwards, intermediary contacts us to conduct a decrypt test, receives decrypted files, and then asks you to transfer money to a wallet not related to us. Having received money, intermediary assures client in every possible way that he did not receive decrypter or simply disappears with money. REMEMBER! - We only have wallet that is indicated in this html (first and last 4 characters) When transferring money to any other wallet, you are not transferring it to us.

deception using various Universal Decryptors for 30% of cost or at a fixed price has become very common. With beautiful pictures or enticing videos on YouTube, where they will show you how it works "Universal Software" - which in reality does not work, but is a Trojan for stealing bitcoin or another cryptolocker, before installing something like that - test it on an isolated network computer and you can see that it is useless. Globeimposter 2.0 namely, this is what you see on your network 🙂 can't be deciphered by anything! Besides original key… only one who created Build has key!- this is us. Contact real professionals like - hxxps://www.bleepingcomputer.com/forums/, or any large anti-virus companies - - they can tell you all horror of situation.

Considering above, we reserve right to request KYC confirmation. For example, send us a message from your corporate email on behalf of Company Director or IT department. We know their original emails - since we carefully study network before work 🙂 By contacting directly, you can count on a friendly conversation, a business-like approach… and possibly a good discount (discount depends on many circumstances, size of company,size of ransom, our checks of your accounting, phase of the Moon, etc.)
WHAT HAPPENS IF YOU DON'T PAY

In case of non-payment, we organize an auction on various sites in DarkNet and try to sell files leaked from your network to interested parties.
Next, we use mail + any other contacts of your clients, and notify them of what happened, perhaps they will be interested so that information does not get into public domain and will be ready to buy out information separately.
-If there are no willing to buy, we simply publish everything that we have in the public resources.

© 2024 Nacugunder Corporation | All Rights Reserved.

How is Ransomware Like SchrodingerCat Distributed?

Ransomware like SchrodingerCat is typically distributed through various methods, including:

Phishing Emails: Cybercriminals often distribute ransomware through phishing emails containing malicious attachments or links. These emails may appear legitimate, tricking users into opening the attachment or clicking on the link, which then installs the ransomware onto the victim's system.

Malvertising: Malicious advertisements (malvertising) on websites can redirect users to sites hosting exploit kits that distribute ransomware. These ads may appear on legitimate websites and exploit vulnerabilities in the user's browser or plugins to install the ransomware silently.

Exploit Kits: Exploit kits are packages of malicious code designed to take advantage of vulnerabilities in software. Cybercriminals use exploit kits to infect users who visit compromised websites, exploiting vulnerabilities in their browsers or plugins to deliver and execute ransomware on their systems.

Remote Desktop Protocol (RDP) Attacks: Attackers may exploit weak or default credentials for remote desktop services, such as RDP, to gain unauthorized access to a system. Once inside, they can deploy ransomware directly onto the victim's network.

Drive-by Downloads: Drive-by downloads occur when ransomware is automatically downloaded and installed onto a user's system without their consent while visiting a compromised or malicious website. This often exploits vulnerabilities in the user's browser or plugins.

Infected Software or Files: Cybercriminals may distribute ransomware by disguising it as legitimate software or files available for download from the internet. Unsuspecting users download and run these files, inadvertently installing the ransomware on their systems.

USB and Removable Media: Ransomware can spread through infected USB drives or other removable media. When users insert an infected USB drive into their computer, the ransomware may automatically execute and infect the system.

To protect against ransomware attacks, users should practice good cybersecurity hygiene, including regularly updating software, using reputable antivirus software, being cautious of email attachments and links, and regularly backing up important data.

By Zaib
April 3, 2024
Ransomware
English
April 3, 2024
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Softcnapp Potentially Unwanted Application

2 months ago

What is Cdmx Ransomware?

3 months ago

Jegdex Scam

20 days ago

Venanco.com Scam

13 days ago

Error: Ox800VDS Pop-up Scam

9 days ago

Related Posts

Ransomware

Karsovrop Ransomware Demands Bitcoin Ransom

Karsovrop, a type of ransomware, is a malicious program that encrypts data and demands ransom payments for decryption. Our research team encountered Karsovrop while going over newly discovered malicious file samples.... Read more

January 18, 2024
Ransomware

Prestige Ransomware Lists No Ransom Demands

Prestige is the name of a new ransomware variant that is not related to any of the big ransomware families. Prestige will encrypt files found on the victim system's drives once deployed, scrambling their contents and... Read more

October 26, 2022
Ransomware

Rever Ransomware Lists No Ransom Demands

Rever ransomware is the name of a new strain of file-encrypting malware. There are no indicators that the new variant belongs to any of the big ransomware families. The Rever ransomware encrypts files, appending a new... Read more

August 18, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.