The ransoms are required to be paid in digital currencies (e.g. The latter varies from three to four digits (in USD). There are two main differences between these programs/infections: the cryptographic algorithm they use ( symmetric or asymmetric) and ransom size. Malware classified as such is designed to encrypt files and demand payment for the decryption tools/software. Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:ĬryptoDarkRubix, DEMON, Baraka Team and Happychoose are some examples of other ransomware-type programs. The only solution is to recover the files from a backup, provided one was made prior to the infection and was stored in a separate location. To prevent PLEX from further encryption, the ransomware must be eliminated from the operating system, however, this will not restore already compromised data. Therefore, the files remain encrypted and useless, and they also experience significant financial loss.
Whatever the case, you are strongly advised against communicating with and/or meeting the ransom demands of cyber criminals.ĭespite paying, victims do not receive the promised decryption tools/software. Unfortunately, in most cases of ransomware infections, decryption is impossible without the involvement of the criminals responsible, unless the malware has bugs/flaws or is still in development. Additionally, the message warns that asking for help from third parties can lead to increased financial loss. Victims are alerted that renaming the encrypted files or trying to decrypt them with third party decryption tools/software can lead to permanent data loss. Should the affected users fail to receive a response within twelve hours, they are instructed to use the alternative mail address. It adds that the email messages must contain the unique ID (generated individually for each victim). The ransom message in the pop-up window provides more information concerning the encryption. If they wish to recover it, they are instructed to send a message to the cyber criminals behind the ransomware infection via email. The text file (" FILES ENCRYPTED.txt") informs victims that their data has been encrypted.
Updated variants of this ransomware use the " extension for encrypted files. For example, a file such as " 1.jpg" would appear as something similar to " following encryption.Īfter this process is complete, a text file (" FILES ENCRYPTED.txt") is created on the desktop and a pop-up window is displayed. Systems infected with this malware have their data encrypted and demand ransom payments for decryption.ĭuring the encryption process, all compromised files are renamed according to the following pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".
Discovered by Jakub Kroustek, PLEX is malicious software belonging to the Crysis/Dharma ransomware family.