IRIS Ransomware Encrypts Data
During our examination of new file samples, our research team came across a harmful software called IRIS, which is derived from the Chaos ransomware. IRIS operates by encrypting files and then demanding payment for their decryption.
In our testing environment, this ransomware effectively locked files and added a four-character extension to their filenames. For example, a file originally named "1.jpg" would appear as "1.jpg.582m" after encryption, while "2.png" would become "2.png.2n02", and so forth for all affected files. Following this encryption process, IRIS altered the desktop wallpaper and left behind a ransom note named "read_it.txt".
The message conveyed by IRIS explains that the victim's files have been encrypted and that retrieving them requires paying a ransom of $350, payable in XMR (Monero cryptocurrency). Additionally, the note warns that sensitive data belonging to the victim, such as browsing history and personally identifiable information has been scraped and stolen. Consequently, formatting the device is deemed ineffective as a solution, as the attackers threaten to disclose the stolen content if payment is not received.
IRIS Ransom Note Demands $350
The full text of the ransom note produced by IRIS reads as follows:
HACKED BY IRIS!!!!!!!!!!!
Hello!
First off, this is not personal, its just businuss
All of your files have been encrypted!
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?
You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $350. Payment can be made in Monero only.
What happens if i don't pay?
You may think of just reseting your pc… We have all of your files, your addresses, passwords, emails, credit cards, search history, wifi logs, plus we literally everything that is on your computer. If you are connected to a wifi network we now also have all the files from those devices also.
How do I buy Monero/XMR?
Look up a youtube video on how to buy the coin, or visit localmonero.co to buy from a seller.
Payment Type: Monero/Xmr Coin
Amount: $350 USD In Monero/XMR
Monero/XMR address to send to:
45R284b7KTQaeM5t8A2fv617CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHVjoppdY24gvV17CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHVIf you have any questions or issues contact: iriswaresupport@proton.me
HACKED BY IRIS (THE ONE AND ONLY)
How Can Ransomware Enter Your System?
Ransomware can infiltrate your system through various means, including:
Phishing Emails: One common method is through malicious emails containing attachments or links that, when clicked, execute the ransomware payload. These emails often masquerade as legitimate communications from trusted sources, enticing users to open them.
Malicious Websites: Visiting compromised or malicious websites can expose your system to ransomware. These sites may exploit vulnerabilities in your browser or plugins to download and execute ransomware without your knowledge.
Malvertising: Malicious advertisements, known as malvertising, can deliver ransomware payloads when clicked. These ads may appear on legitimate websites and exploit vulnerabilities in advertising networks to distribute malware.
Exploiting Vulnerabilities: Ransomware can exploit unpatched software vulnerabilities in your operating system or installed applications. Attackers may use exploit kits, which are packages of code designed to automate the exploitation of known vulnerabilities, to deliver ransomware payloads.
Remote Desktop Protocol (RDP) Attacks: Attackers may exploit weak or default credentials on Remote Desktop Protocol (RDP) services to gain unauthorized access to your system. Once inside, they can deploy ransomware and encrypt files.
Drive-by Downloads: Ransomware can also be delivered through drive-by downloads, where malware is automatically downloaded and executed when visiting a compromised or malicious website.
