I have been following ransomware since they first started becoming popular in 2012 (ACCDFISA) and 2013 (CryptoLocker). For the most part, ransomware developers create generic ransom notes that provide information as to what has happened and payment instructions on how to get files back.

A few times we have seen some really scumbag moves by developers, such as Popcorn Time telling victims to infect other people to possibly get a free decryption key. Today, though, Michael Gillespie discovered a ransom note uploaded to ID-Ransomware that simply left me disgusted.

This ransom note is titled "Save Children" and shows a picture of a starving 2 year old Nigerian orphan who was being given aid by humanitarian worker. This note then goes on to say that the ransomware victim is now part of the fictitious GPAA, or Global Poverty Aid Agency, which they state is a crowdfunding campaign to raise 1000 bitcoins to save children.

GPAA Ransom Note
Part of the GPAA Ransom Note

It's bad enough that these developers are hurting people and their business by encrypting their files, but to spout complete BS while taking advantage of the horrible misfortunes of others to earn money is just disgusting.

In the next section, I have decided to only provide the barest of details to help victims as the developers of this ransomware do not deserve any more of my time. We have also created a dedicated GPAA Ransomware Help & Support Topic for those who need support.

What you need to know about the GPAA Ransomware

Fabian Wosar of Emsisoft has looked into this ransomware and has determined that it is not able to be decrypted for free. Therefore, please restore from backups or try restoring from shadow volume copies if at all possible so you do not have to pay these people.

When encrypting files, the Global Poverty Aid Agency Ransomware will target the following file extensions:

.123, .3dm, .3dmap, .3ds, .3dxml, .3g2, .3gp, .602, .7z, .accdb, .act, .aes, .ai, .arc, .asc, .asf, .asm, .asp, .assets, .avi, .backup, .bak, .bat, .bdf, .blendl, .bmp, .brd, .bz2, .c, .c4dl, .catalog, .catanalysis, .catdrawing, .catfct, .catmaterial, .catpart, .catprocess, .catproduct, .catresource, .catshape, .catswl, .catsystem, .cdd, .cgm, .class, .cmd, .config, .cpp, .crt, .cs, .csr, .csv, .dae, .db, .dbf, .dch, .deb, .der, .dif, .dip, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .edb, .eml, .fbx, .fla, .flv, .frm, .gif, .gl, .gl2, .gpg, .gz, .h, .hpgl, .hwp, .ibd, .icem, .idf, .ig2, .igs, .ipt, .iso, .jar, .jasl, .java, .jpeg, .jpg, .js, .jsp, .key, .lay, .lay6, .ldf, .library, .m3u, .m4u, .mal, .max, .maxl, .mb, .mdb, .mdf, .mid, .mkv, .mml, .model, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .nef, .obj, .odb, .odg, .odp, .ods, .odt, .onetoc2, .ost, .otg, .otp, .ots, .ott, .p12, .paq, .pas, .pdf, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps, .ps1, .psd, .pst, .rar, .raw, .rb, .rtf, .sch, .session, .sh, .sldm, .sldx, .slk, .sln, .snt, .sql, .sqlite3, .sqlitedb, .stc, .std, .step, .sti, .stp, .stw, .suo, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tdg, .tgz, .tif, .tiff, .txt, .unity3d, .uop, .uot, .vb, .vbs, .vcd, .vdi, .vmdk, .vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .wrl, .xl, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, .xmind, 

When a file is encrypted it will scramble the file name and append the .cerber6 extension to the encrypted file. For example, a file named test.jpg could be encrypted and renamed as 2BiwaFbX6wlPaDSy.cerber6.

Folder of Encrypted Files
Folder of Encrypted Files

This ransomware does not leave an autorun and deletes the executable after running.  It will drop ransom note, as shown above, named !READ.htm in each folder that a file is encrypted and on the Desktop.

 

IOCs

Hashes:

SHA256: 7c5849d841df34c7e2da3447d2005b5cdc6b8207fa55ee0935ee0eed3f5c8285

Ransom Note Text:

Congradulations! Now you are a member of GPAA(Global Poverty Aid Agency).
We need bitcoins,our crowdfunding goal is to get 1000 BTCs. 1 BTC for 1 CHILD!


>> Click Here To Buy Bitcoins <<

Q: What happened?
A: Ooops, your important files are encrypted.It means you will not be able to access them anymore until they are decrypted.
These files could NOT be decrypted if you do not have the KEY(RSA4096).

Q: How can I get the decrypt programme?
A: Your task is    1.83 btc.
Send the correct amount to the bitcoin address 
19ZLfCEpxdskvWGLLhNUnM6dUG7yikhz2W
You can send more coins.When the goal is achieved,you will get the decrypt programme.
Use your phone to pay it


Q: Where to get the decrypt programme?
A: When the goal is achieved,we will send it to sc19ZLfCEpxdskvWGLLhNUnM6dUG7yikhz2W@outlook.com 
(You may register it first with the specified password: Save1000Children!!! ).

Q: What should I do?
A: Time waits for no man.

Associated Bitcoin Addresses:

19ZLfCEpxdskvWGLLhNUnM6dUG7yikhz2W