ChaCha is a file-encrypting threat that uses two different ciphers (RSA + ChaCha20) to lock targeted data. The malicious activities of this cyber threat were spotted in the first have of May.



ChaCha ransomware is a very dangerous and difficult threat due to the ways its activities are being carried out. It mostly gets carried through bundled free third party programs, spam emails, suspicious websites, shareware and other tricks.


once files are encrypted, ChaCha virus adds an extension which contains random characters. Additionally, the ransomware virus applies 0x66116166 mark to each encrypted component. Later on, the malware bombards the computer screen with a message named DECRYPT-FILES.html.

ChaCha targets English-speaking people because it produces a message in this language. English is first in the entire world so using this type of language is the easiest for crooks to communicate with there victims. Take a closer look at the ransom-demanding message:

Attention! Your documents, photos, databases, and other important files have been encrypted! 
Buy your private key from us. 
It can be decrypt. 
Order to the receive with In the the private key contact us Via email:  
the Remember to hurry up closeup, as with the your email address may not the BE avaliable for very long. 
The key Buying immediatly will guarantee that 100% of your files will be restored.
Below you will see a big blob base64, you will need to email us. 
you can click on it, it will be copied into the clipboard. 
If you have troubles copying it, you are currently reading, as an attachment. 
M1ihuItJFJtvKrKaMGxt1UtaJoSTHI5dLA ***


New ChaCha Ransomware randomly adds extensions!Demonstration of attack video review

New ChaCha Ransomware randomly adds extensions!Demonstration of attack video review.

ChaCha demonstration by GrujaRS

Community content is available under CC-BY-SA unless otherwise noted.