BlackHeart is an encryption ransomware Trojan that was first observed in April 2018. Several variants of BlackHeart were released in the weeks leading up to BlackHeart, and it is likely that BlackHeart is just one of many variants in a ransomware family that is being created with a ransomware builder, a tool that can be used to create different versions of the same encryption ransomware Trojan.
Black Heart is a regular ransomware, and thus shares many similarities with MaxiCrypt, Satyr, Spartacus, NMCRYPT, and dozens of other ransomware-type viruses.
BlackHeart takes the victim's files hostage by using the AES encryption algorithm to make the victim's files inaccessible. BlackHeart will target the user-generated files, which may include a wide variety of file types, including media files, databases, and numerous other user-generated files. The following are some examples of the files that threats like BlackHeart will target in their attacks:
3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
When BlackHeart enciphers a file, it will become inaccessible. Once BlackHeart has taken the victim's files hostage, BlackHeart will mark the affected files by adding a new file extension to their names. Different variants of the BlackHeart Ransomware have been observed to use different file extensions, including '.pay2me' and '.BlackRouter.' BlackHeart will deliver two different ransom notes, one contained in a text file named 'ReadME-BlackHeart.txt' and the other one delivered in a program window with the title 'Black Heart - Your Files Crypted.' The text on the ransom note contains the following message:
All your data has been locked us. You want to return? Contact to: firstname.lastname@example.org Your Personal KEY: [RANDOM CHARCTERS]
A program window delivers the following message to the victim of the BlackHeart Ransomware attack:
Black Heart Personal Key: [RANDOM CHARCTERS] [Copy to clipboard|BUTTON] Warning: Please Don't Restart og Shutdown Your PC , If you do it Your Personal Files Permanently Crypted. For Decrypt Your Personal Just Pay 200$ or 0.024 BTC . After Pay You can sebd personal key to EMail: email@example.com BTC Transfer Address: [34 RANDOM CHARCTERS]