A new variant of the Apocalypse Ransomware was released that utilizes the VMProtect software protection product. Using VMProtect, the ransomware developers hoped to make it more difficult for security researchers to reverse engineer their ransomware. 

Over the weekend, Fabian Wosar, of Emsisoft, was able to get past the VMProtect protection and create a decryptor for the latest variant of the Apocalypse Ransomware's encrypted files.  This new variant uses the .encrypted and .locked extensions and will create a ransom note called [filename].How_To_Get_Back.txt for each file that is encrypted. For example, the ransom note for the test.jpg file will be called test.jpg.How_To_Get_Back.txt.

To decrypt your files, you can download the ApocalypseVM decryptor from the link below.

Apocalypse Decryptor

Download Now

Once downloaded, you will most likely need to drag a encrypted and unencrypted copy of the same file on top of the decryptor in order to generate the key.  These files also need to be at least 4096 bytes in order for this process to work.  If a key can be found it will show an alert like the one below.

Key Found

If a key is found, press OK and follow the prompts till you get to the main screen. You can then click on the Decrypt button to decrypt the C: drive. If there are other drives you need to decrypt, you can add them at this screen as well.

The decryptor will then decrypt your files and display a screen similar to the one below.

Files Decrypted

The files should now be decrypted and you can exit the program.

Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message