Udaigen Ransomware Will Encrypt Victim Files
During our investigation of new file submissions, our team made an interesting discovery - a ransomware variant called Udaigen. This malicious program functions by encrypting files and then demanding a ransom in exchange for the decryption key.
Upon testing Udaigen on our designated machine, we observed that it encrypted files and modified their filenames by adding a ".jcrypt" extension. For instance, a file named "1.jpg" transformed into "1.jpg.jcrypt," and "2.png" became "2.png.jcrypt," and so on. Once the encryption process concluded, the ransomware presented a pop-up window alongside a text file named "_RECOVER__FILES.jcrypt.txt."
Both the pop-up message and the text file contained ransom notes conveying similar information. The messages informed the victim that their files had been encrypted and provided instructions to facilitate the decryption process. The victim was instructed to transfer a payment of 2 BTC (Bitcoin cryptocurrency) to acquire the necessary decryption key. As of the time of writing, this amount equates to approximately 57 thousand USD. It is worth noting that exchange rates are subject to frequent fluctuations, and therefore, the conversion may not be entirely accurate at present.
Udaigen Ransom Note Lists Encrypted Files
The full text of the Udaigen ransom note reads as follows:
All of your files have been encrypted.
To unlock them, please send 2 bitcoin(s) to BTC address: 35tNmAJqbWwPHGLZT15eQthyP7AwT1DNiv
Afterwards, please email your transaction ID to: udai@membermail.netBeing a lazy bit*h isn't going to get your files back.
Encryption Log:
(list of files)
How Can Ransomware Like Udaigen Get on Your Computer?
There are several ways through which ransomware like Udaigen can infect your computer. Here are some common methods:
- Email attachments: Ransomware can be distributed through malicious email attachments. Cybercriminals often send phishing emails disguised as legitimate messages from reputable sources. These emails may contain infected attachments, such as documents or compressed files, which, when opened, execute the ransomware on your computer.
- Infected websites and downloads: Visiting compromised or malicious websites can expose your computer to ransomware. Cybercriminals may inject malicious code into websites, which can exploit vulnerabilities in your web browser or plugins to silently download and install ransomware on your system. Illegitimate downloads from untrusted sources can also contain ransomware.
- Malicious links and ads: Clicking on malicious links or advertisements can lead to ransomware infections. These links can be found in emails, social media platforms, or even legitimate-looking websites. Once clicked, they can redirect you to websites hosting ransomware or initiate a drive-by download, automatically installing the ransomware on your computer without your knowledge.
- Exploiting software vulnerabilities: Ransomware developers often take advantage of security vulnerabilities in operating systems, software applications, or plugins. By exploiting these vulnerabilities, they can gain unauthorized access to your computer and deploy ransomware.
- Remote Desktop Protocol (RDP) attacks: If you have enabled Remote Desktop on your computer without proper security measures, cybercriminals can exploit weak or default credentials to gain access to your system. Once inside, they can install ransomware or other malware.
- Malicious software updates: Attackers may compromise legitimate software update mechanisms and distribute fake updates containing ransomware. When users unknowingly install these updates, the ransomware is deployed on their systems.
