FANDOM


Blower is a ransomware that is a part of the Djvu family. It is similar to other viruses like CryptoID888, and Cosanostra.

Payload

Transmission

The malicious payload is usually injected with the help of illegal cracks and keygens, usually downloaded from torrent sites.

Infection

Blower virus uses AES cipher to lock data and appends .blower extension – the encryption process usually takes only a few seconds, so victims cannot do much to stop it. Databases, documents, pictures, and other data becomes inaccessible, and users are shown a _readme.txt note that explains what happened, and they are asked for a ransom of $490 in bitcoin for the file release. Bad actors also clarify that the amount doubles if the sum is not transferred within 72 hours of the infection.

The Blower Ransomware targets the user-generated files, such as those with the following extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, 
.max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, 
.dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, 
.class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, 
.prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, 
.inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, 
.swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, 
.dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, 
.xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, 
.xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, 
.ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, 
.m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, 
.mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, 
.wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, 
.xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, 
.des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, 
.qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, 
.iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, 
.fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, 
.vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , 
.drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, 
.rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, 
.wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, 
.fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, 
.ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, 
.zip, .rar.

The ransom note placement follows the encryption process when every folder on the machine gets _readme.txt. Blower ransomware ransom message reads the following:

ATTENTION! Do not worry my friend, you can return all your files! All your files are encrypted with the 
unique key. Decrypt tool for you. This software will decrypt all your encrypted files. What guarantees you 
have? You can send your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not 
contain valuable information. You can get a video of the decrypt tool: https://we.tl/t-1aaC7npeV9 Price is $ 980. 

Discount 50% available if you contact us first 72 hours, that's price for you is $ 490. 
Please note that you never restore your data without payment. 
Check your e-mail address if you don’t get it more than 6 hours. 
E-mail: 
blower@india.com 
Reserve e-mail address to contact us: 
blower firemail.cc @ 
Your personal ID: 
030GHsgdfT7878YsY9gsafL ***
Community content is available under CC-BY-SA unless otherwise noted.