Wormhole Ransomware Locks Victims' Files

In our investigation of the Wormhole malware, we determined that it functions as ransomware with the primary objective of encrypting files and demanding ransom for decryption. Alongside encrypting files, Wormhole alters filenames by appending the extension ".Wormhole" (e.g., renaming "1.jpg" to "1.jpg.Wormhole", "2.png" to "2.png.Wormhole", and so on).

The ransomware also presents a ransom note ("How to recover files encrypted by Wormhole.txt") that instructs victims to communicate with the attackers via Tox or qTox (providing download links for these tools). It advises victims to configure a proxy if the chat tool encounters internet connectivity issues.

Moreover, the note contains the attacker's Tox ID, serving as a unique identifier for communication purposes. It requests the recipient to send an encrypted file along with a Wormhole ID for test decryption.

Wormhole Ransom Note in Full

The complete text of the ransom note produced by Wormhole goes as follows:

Please contact us via Tox.chat tool or qtox tool
Download Tox.chat hxxps://tox.chat/download.html
Download qtox hxxps://github.com/qTox/qTox/blob/master/README.md#qtox
If your chat Tool cannot connect to the Internet, please set up a proxy.
Add our TOX ID and send an encrypted file and Wormhole ID for testing decryption.

Our TOX ID 503313BA88174FDF187C5009A43B45CBC144D313EFBF98BB75BFA084B5743E3ECA94499F95ED

Your Wormhole ID: -

How is Ransomware Commonly Distributed Online?

Ransomware is commonly distributed online through various methods, often leveraging social engineering tactics and vulnerabilities in software or systems. Here are some common distribution methods:

Phishing Emails: One of the most prevalent methods is through phishing emails that contain malicious attachments or links. These emails are designed to appear legitimate and may trick users into opening attachments or clicking on links that download and execute ransomware onto their systems.

Malicious Links: Ransomware can be distributed through malicious links shared via email, social media, or instant messaging platforms. Clicking on these links may lead to the download and execution of ransomware on the victim's device.

Exploit Kits: Cybercriminals use exploit kits to exploit vulnerabilities in software or web browsers. When a user visits a compromised website, the exploit kit automatically downloads and installs ransomware onto the victim's computer without their knowledge.

Remote Desktop Protocol (RDP) Compromise: Attackers exploit weak or default credentials for Remote Desktop Protocol (RDP) to gain unauthorized access to a victim's system. Once inside, they deploy ransomware to encrypt files and demand a ransom.

Malvertising: Malicious advertisements (malvertising) on legitimate websites can redirect users to websites hosting ransomware. These advertisements may appear on popular websites and exploit vulnerabilities in the user's browser or plugins to deliver ransomware.

By Zaib
April 29, 2024
Ransomware
English
April 29, 2024
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Error: Ox800VDS Pop-up Scam

1 month ago

Softcnapp Potentially Unwanted Application

3 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

9 months ago

Alrucs Service Trojan

26 days ago

Alludesgroup.com Attempts to Slip You Ads

19 days ago

Related Posts

Ransomware

8Base Ransomware Locks Victims' Files

8base Ransomware is classified as a type of ransomware that encrypts data. When a computer becomes infected with 8base Ransomware, all files on the compromised system, including .xtml, .doc, .png, .pdf, .asp, and... Read more

May 26, 2023
Ransomware

Beast Ransomware Locks Victims' Files

During our examination of the malware known as Beast, we determined that it operates as ransomware. Upon infiltrating a system, Beast encrypts files, displays a ransom note, and alters filenames. Beast appends a... Read more

April 25, 2024
Ransomware

Rincrypt Ransomware Locks Most Files

Our team uncovered the Rincrypt ransomware during an analysis of new malicious file samples. Upon running a sample of Rincrypt on our test system, it proceeded to encrypt files and add a ".rincrypt" extension to their... Read more

April 8, 2024
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.