A new variant of the Apocalypse Ransomware was released that utilizes the VMProtect software protection product. Using VMProtect, the ransomware developers hoped to make it more difficult for security researchers to reverse engineer their ransomware.
Looks like the Apocalypse guys started obfuscating their malware with VMProtect. Please shoot me now :P
— Fabian Wosar (@fwosar) June 18, 2016
Over the weekend, Fabian Wosar, of Emsisoft, was able to get past the VMProtect protection and create a decryptor for the latest variant of the Apocalypse Ransomware's encrypted files. This new variant uses the .encrypted and .locked extensions and will create a ransom note called [filename].How_To_Get_Back.txt for each file that is encrypted. For example, the ransom note for the test.jpg file will be called test.jpg.How_To_Get_Back.txt.
To decrypt your files, you can download the ApocalypseVM decryptor from the link below.
Once downloaded, you will most likely need to drag a encrypted and unencrypted copy of the same file on top of the decryptor in order to generate the key. These files also need to be at least 4096 bytes in order for this process to work. If a key can be found it will show an alert like the one below.
If a key is found, press OK and follow the prompts till you get to the main screen. You can then click on the Decrypt button to decrypt the C: drive. If there are other drives you need to decrypt, you can add them at this screen as well.
The decryptor will then decrypt your files and display a screen similar to the one below.
The files should now be decrypted and you can exit the program.
Comments
Amigo-A - 1 year ago
Thankee!
Demonslay335 - 1 year ago
It should also be noted that it seems ApocalypseVM is being ran by targeted attacks on RDP services on servers. Everyone should really lock down their remote services, as this has been a trend with many ransomwares in the last 2 years.