The Data Security Council of India (DSCI) released an advisory about file-locking malware likely spreading through spam emails, phishing, and malicious URLs. Researchers have dubbed the ransomware Alkhal, and says it locks files in affected systems and creates two ransom notes, ReadMe.txt and ReadMe.bmp, which are identical in nature. The DSCI did not disclose details on the origin of the ransomware or the threat actor(s) behind it, but said the infection occurs through peer-to-peer networks and third-party downloaders.
Researchers at Cyclonis say the Trojan adds a ‘.alkhak’ suffix to all locked files and changes the desktop wallpaper to display the instructions on how to pay the ransom with the file ‘Recovery.bmp’. Experts at EnigmaSoft say that Alkhal does not change the names of the encrypted files, differing greatly from other ransomware.
No tools are available to restore encrypted files, which means the decryption key can only be obtained from the ransomware operators. The ransom note also mentions that the victim will receive information on the vulnerability used to access the victim’s data and instructions on how to patch it if the victim pays the ransom. It also claims that the ransom operators will recommend “special software that makes the most problems to hackers”.