I have been following ransomware since they first started becoming popular in 2012 (ACCDFISA) and 2013 (CryptoLocker). For the most part, ransomware developers create generic ransom notes that provide information as to what has happened and payment instructions on how to get files back.
A few times we have seen some really scumbag moves by developers, such as Popcorn Time telling victims to infect other people to possibly get a free decryption key. Today, though, Michael Gillespie discovered a ransom note uploaded to ID-Ransomware that simply left me disgusted.
This ransom note is titled "Save Children" and shows a picture of a starving 2 year old Nigerian orphan who was being given aid by humanitarian worker. This note then goes on to say that the ransomware victim is now part of the fictitious GPAA, or Global Poverty Aid Agency, which they state is a crowdfunding campaign to raise 1000 bitcoins to save children.
It's bad enough that these developers are hurting people and their business by encrypting their files, but to spout complete BS while taking advantage of the horrible misfortunes of others to earn money is just disgusting.
In the next section, I have decided to only provide the barest of details to help victims as the developers of this ransomware do not deserve any more of my time. We have also created a dedicated GPAA Ransomware Help & Support Topic for those who need support.
Fabian Wosar of Emsisoft has looked into this ransomware and has determined that it is not able to be decrypted for free. Therefore, please restore from backups or try restoring from shadow volume copies if at all possible so you do not have to pay these people.
When encrypting files, the Global Poverty Aid Agency Ransomware will target the following file extensions:
.123, .3dm, .3dmap, .3ds, .3dxml, .3g2, .3gp, .602, .7z, .accdb, .act, .aes, .ai, .arc, .asc, .asf, .asm, .asp, .assets, .avi, .backup, .bak, .bat, .bdf, .blendl, .bmp, .brd, .bz2, .c, .c4dl, .catalog, .catanalysis, .catdrawing, .catfct, .catmaterial, .catpart, .catprocess, .catproduct, .catresource, .catshape, .catswl, .catsystem, .cdd, .cgm, .class, .cmd, .config, .cpp, .crt, .cs, .csr, .csv, .dae, .db, .dbf, .dch, .deb, .der, .dif, .dip, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .edb, .eml, .fbx, .fla, .flv, .frm, .gif, .gl, .gl2, .gpg, .gz, .h, .hpgl, .hwp, .ibd, .icem, .idf, .ig2, .igs, .ipt, .iso, .jar, .jasl, .java, .jpeg, .jpg, .js, .jsp, .key, .lay, .lay6, .ldf, .library, .m3u, .m4u, .mal, .max, .maxl, .mb, .mdb, .mdf, .mid, .mkv, .mml, .model, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .nef, .obj, .odb, .odg, .odp, .ods, .odt, .onetoc2, .ost, .otg, .otp, .ots, .ott, .p12, .paq, .pas, .pdf, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps, .ps1, .psd, .pst, .rar, .raw, .rb, .rtf, .sch, .session, .sh, .sldm, .sldx, .slk, .sln, .snt, .sql, .sqlite3, .sqlitedb, .stc, .std, .step, .sti, .stp, .stw, .suo, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tdg, .tgz, .tif, .tiff, .txt, .unity3d, .uop, .uot, .vb, .vbs, .vcd, .vdi, .vmdk, .vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .wrl, .xl, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .xmind,
When a file is encrypted it will scramble the file name and append the .cerber6 extension to the encrypted file. For example, a file named test.jpg could be encrypted and renamed as 2BiwaFbX6wlPaDSy.cerber6.
This ransomware does not leave an autorun and deletes the executable after running. It will drop ransom note, as shown above, named !READ.htm in each folder that a file is encrypted and on the Desktop.
Congradulations! Now you are a member of GPAA(Global Poverty Aid Agency). We need bitcoins,our crowdfunding goal is to get 1000 BTCs. 1 BTC for 1 CHILD! >> Click Here To Buy Bitcoins << Q: What happened? A: Ooops, your important files are encrypted.It means you will not be able to access them anymore until they are decrypted. These files could NOT be decrypted if you do not have the KEY(RSA4096). Q: How can I get the decrypt programme? A: Your task is 1.83 btc. Send the correct amount to the bitcoin address 19ZLfCEpxdskvWGLLhNUnM6dUG7yikhz2W You can send more coins.When the goal is achieved,you will get the decrypt programme. Use your phone to pay it Q: Where to get the decrypt programme? A: When the goal is achieved,we will send it to sc19ZLfCEpxdskvWGLLhNUnM6dUG7yikhz2W@outlook.com (You may register it first with the specified password: Save1000Children!!! ). Q: What should I do? A: Time waits for no man.