For the past week we have had reports of a new Supercrypt ransomware that appears to be affecting European computers. This ransomware will scan a computer's local and mapped drives and encrypt any data files that it finds. Any files that are encrypted by this infection will have their extension changed to .SUPERCRYPT
. A ransom note called HOW-TO-DECRYPT-FILES.txt
will also be placed on the desktop, which contains instructions to send an enclosed unique code and an encrypted file to the email address firstname.lastname@example.org. Victims who have performed these steps have received a reply by the developer that included a decrypted version of the file and instructions on how to pay the ransom. The current price of the ransom is 300 Euros and can be paid in the form of Ukash vouchers or by sending 1 bitcoin. Victims who have paid the ransom were sent a decryption program that was able to decrypt their files.
Early reports indicate that computers infected by the SuperCrypt ransomware are being manually hacked by the malware developer via Remote Desktop or Terminal Services. Once the computer is hacked, the malware dev will run a password protected installer that performs the encryption. Once the encryption is done, the hacker will remove the installers from the computer.
There are numerous researchers analyzing the samples and encrypted files. As more information is discovered we will update this topic. We also have a dedicated support topic, which can be found here: SuperCrypt Ransomware Support Topic