Angry Duck is a ransomware that encrypts files using AES-512 cryptography. It has some odd quirks in its ransom note. These oddities make it apparent that Angry Duck was created by amateurs that may be using some ransomware toolkit or RaaS (Ransomware as a Service) utility to create their attacks.



Using corrupted email attachments, often in the form of corrupted Microsoft Offices or PDF files, may spread the Angry Duck Ransomware.

Apart from the corrupted email and social media messages, Angry Duck also may spread through corrupted online advertising or by hacking into the victim's computers directly.


Angry Duck attack is rudimentary when compared to some of the most threatening ransomware Trojans in the wild. Angry Duck does carry out an attack that is effective.

During encryption, Angry Duck appends the names of encrypted files with a ".adk" extension. For example, "sample.jpg" is renamed to "sample.jpg.adk". Angry Duck Ransomware is not capable of encrypting data located on external memory drives, removable media, or network drives, unlike other, more harmful ransomware. The Angry Duck Ransomware targets the following file types:


Following successful encryption, Angry Duck also changes the desktop wallpaper to a picture of a angry duck which reads:

*** ANGRY DUCK ***
All your important files have been encrypted using very strong cryptography (AES-512 
with RSA-64 FIPS grade encryption)
To recover your files, send 10 BTC to my private wallet.

The new wallpaper contains a ransom-demand message stating that files are encrypted and that the victim must pay a ransom of 10 Bitcoins (currently equivalent to ~$6484). As compared to other viruses of the same type, Angry Duck's ransom is large (the size of these ransoms usually fluctuates between .5 and 1.5 Bitcoin). Unfortunately, no further information is provided (such as where to send Bitcoin payment, how to decrypt files, time frame until deletion of decryption key, etc.) AES is an asymmetric cryptography and, thus, the encryption and decryption keys are identical, however, all keys are stored on remote servers controlled by cyber criminals who encourage victims to purchase them.