The cybercrooks continue to release new variants of the Cryptmix Ransomware and, the bad news is that all of them appear to be impossible to decrypt for free. In the past few months we came across CryptMix variants like the ‘0000 File Extension’ Ransomwareand the Empty Ransomware, and today we’ll add yet another name to the list of file-encryption Trojans based on CryptMix – the Work Ransomware. The Work Ransomware is named like this because of the unique file extension it appends to the name of every encrypted file – ‘[32_random_characters].WORK.’ The ransom note that the Work Ransomware leaves behind can be found in the usual text file that CryptMix variants use – ‘_HELP_INSTRUCTION.TXT.’ The file in question is usually placed on the desktop, but it may sometimes also b located in the user folder, as well as in any folder containing the encrypted files.
The methods used to propagate the Work Ransomware are not innovative, and its authors have once again opted to rely on spam e-mails as the primary way to reach potential victims. The spam campaign that distributes the Work Ransomware uses fraudulent e-mail messages, which contain an attached document whose execution may prompt the user to enable Microsoft Office macro scripts. If this option is selected, the file will execute a corrupted macro, which unpacks the Work Ransomware’s payload and sets off the file-encryption process.
Sadly, reverting the damage that the Work Ransomware does to the files is not an easy task, and it might often be impossible unless you have a safe backup at your disposal. The secure encryption that the Work Ransomware uses guarantees that cybersecurity researchers will not be able to release a decryption tool that can help victims of the Work Ransomware or other encryption Trojans based on CryptMix.
The ransom message provided by the Work Ransomware does not mention a ransom payment, but you can rest assured that money is exactly what the threat’s authors are looking for. The only valuable part of their message is the contact details, which can be used to get in touch with them – [email protected], [email protected], [email protected], [email protected] and [email protected] However, they do not present any proof that they are capable of decrypting files so that we advise against paying them any money.
After completing its attack, the Work Ransomware will make sure to wipe the Shadow Volume Copies and disable the System Restore, therefore further diminishing the victim’s chances of salvaging any files with the help of 3rd-party file recovery software. The best thing to do if your data was taken hostage by the Work Ransomware is to run a credible anti-virus tool that will dispose of the threatening application. Once this task is complete, you should make sure to preserve the encrypted files since they will be required if a free decryption tool gets released.