Ransomware is the most lethal cyber weapon of modern time. It has evolved itself as a global threat to cybersecurity. The stats itself is devastating. Cybersecurity Ventures forecasts that ransomware costs will reach $20 billion by 2021. The growing vogue shows an adverse effect on the amount of economy spent to counter such a problem. Recently new ransomware has been uncovered named Kupidon. It targets not only the corporate networks but also the user credentials of home users.
MalwareHunterTeam first discovered the latest ransomware on May 9th after being uploaded to ID-Ransomware. It quickly replicated itself across the networks to victimized the users by streaming into the ransomware identification site.
Submissions stats on ID-Ransomware for Kupidon
The amount of reported submissions shows the ferocious growth of the kupidon ransomware. Also, security personnel at Bleepingcomputer have collected some samples of the ransomware, which were based on conversations with sufferers. The Kupidon ransomware is using a particular remote desktop server, which is targeting both personal users and business firms.
Once the threat actors escalate through the system, it tries to encrypt the system files of computers. While encrypting the user data, it will annex the “.kupidon” extension to the original file’s name.
As for an example given below, a file named “JM tag.jpg” will be encrypted and further renamed to “JM tag.jpg.kupidon.”
With each folder being encrypted, ransomware also creates a ransom note named ‘!KUPIDON_DECRYPT.TXT.’ This note discloses the consequences and the amount that is to be paid by the victim. Besides, The disclosed note might differ accordingly for a business or an individual, ransom demands will merely depend upon the ethical position of the victim.
For Example, below, I have attached a ransom note designed for a corporate victim. It demands the amount to be paid in cryptocurrency $1,200 in bitcoins as well as it has identified the victim as a “commercial person.”
Whereas a home user might have to pay a ransom amount of $300, which depends upon his/her personal background and economic status.
While these ransom amounts are not as high as other ransomware families, they can still be too much for many people to pay.
Apparently, both variants of ransom note redirect the user to a dark web hosted on a TOR server. The visited site contains information about the process that a victim has to go through, so as to clear the payment. It consists of an email address that is to be used for payment instructions. As of now, the email address which is being used on the TOR site is ann4.orlova.892@yandex.ru.
How to decrypt the content?
Once the mentioned ransom is paid, the victim will receive their AES decryption key and the “Kupidon Virus Decryptor.” Using this AES decryption key, the victims can potentially recover their data and personal files, but this methodology has yet not been confirmed by BleepingComputer.
Further security personnel told that they are unable to find a sample of the Kupidon Ransomware, so there is no way to investigate for its weaknesses.
IOCs(Indicator of compromise):
Associated files:
!KUPIDON_DECRYPT.TXT
Ransom note text:
All your files have been encrypted with Kupidon Virus. Your unique id: xxxx As a private person you can buy decryption for 300$ in Bitcoins. But before you pay, you can make sure that we can really decrypt any of your files. The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files. To do this:
1) Download and install the Tor Browser ( https://www.torproject.org/download/ )
2) Open the http://oc3g3q5tznpubyasjgliqyykhxdfaqge4vciegjaapjchwtgz4apt6qd.onion/ web page in the Tor Browser and follow the instructions.
How to mitigate Kupidon ransomware?
- Update your system to its latest version. Mainly, Exploit satchels hosted on compromised websites are commonly used to spread intrusions. Hence, as a part of prevention, regular patching of vulnerable software is mandatory.
- Besides, disable javascript for your browser to avoid remote intrusions.
- Install WAF(web application firewall) and keep your security software up to date. It’s important to use antivirus software from a reputable company, doing so, will reduce the chances of security failure.
- Avoid providing personal information when responding to an email, gratuitous phone call, text message, or instant message. Intruders will trick employees into installing backdoor malware or manipulate the employee by claiming themselves to be from an IT firm. Make convinced to contact your IT department if you or your coworkers receive suspicious calls
- Also, Kupidon ransomware redirects you to the dark web site hosted on a remote server. Therefore, have a keen look at your daily data usage.
