ATCK Ransomware Scrambles Victim Data
Upon investigation, it was determined that the ATCK malware belongs to the Dharma ransomware family. This malware encrypts files upon infiltration, generates two ransom notes ("info.txt" and a pop-up window), and modifies file names.
When altering file names, ATCK adds the victim's ID, email address, and the ".ATCK" extension to filenames. For example, "1.jpg" becomes "1.jpg.id-9ECFA84E.[attackattack@tutamail.com].ATCK", and "2.png" becomes "2.png.id-9ECFA84E.[attackattack@tutamail.com].ATCK".
The ransom note begins by stating that all files have been encrypted but assures the victim that files can be restored. It provides an email address, attackattack@tutamail.com, for contact, along with a specific ID. If there is no response within 12 hours, the note advises using another email, attackattack@cock.li.
The attackers offer to decrypt up to three files, each under 3MB in size and not containing valuable data like databases or backups.
Instructions for obtaining Bitcoins for payment are included, along with a warning against renaming encrypted files or attempting decryption with unauthorized software, as this could result in permanent data loss or increased ransom demands.
ATCK Ransom Note in Full
The complete text of the longer ransom note produced by ATCK reads as follows:
All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore them, write to the mail: attackattack@tutamail.com YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:attackattack@cock.li
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain BitcoinsAlso you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
How Can You Minimize the Risk of Data Loss from Ransomware?
Minimizing the risk of data loss from ransomware involves implementing a combination of preventive measures and proactive strategies. Here are several effective steps you can take:
Regular Backups: Maintain regular and automated backups of your critical data. Ensure that backups are stored offline or in a separate network location that is not directly accessible from your main systems. This allows you to restore your data without paying a ransom if attacked.
Update Software and Patch Vulnerabilities: Keep all software, including operating systems and applications, up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by ransomware attackers.
Use Antivirus and Endpoint Protection: Deploy reputable antivirus software and endpoint protection solutions on all devices. These tools can detect and block known ransomware threats.
Restrict User Permissions: Limit user access rights based on the principle of least privilege. Users should only have access to the resources necessary for their job functions, reducing the impact of ransomware if a system is compromised.
Implement Email Filtering and Web Security: Use email filtering solutions to block malicious attachments and links in emails. Similarly, implement web security controls to prevent users from accessing malicious websites that could distribute ransomware.
