FANDOM


El is an encryption ransomware trojan, which criminals use to take the victims' files hostage to demand a ransom payment. The El Ransomware was first reported on October 27th, 2018.

Payload

Transmission

El is distributed through the use of corrupted spam email attachments. This file attachment will often be a PDF or DOCX file with an embedded macro script that downloads and installs the El  onto the victim's computer.

Infection

Once installed, the El uses the AES 256 encryption to make the victim's files inaccessible. Unfortunately, once the victim's files are encrypted, they may not be decrypted without the decryption key (which the criminals hold in their possession). Attacks like the El typically target the user-generated files, which may include a wide variety of file types, including files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, 
.h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, 
.indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, 
.dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, 
.xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, 
.mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, 
.wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, 
.ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, 
.qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, 
.dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, 
.wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, 
.pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

El will add the file extension '.WAND' to each affected file's name. El delivers its ransom note in the form of a text file named 'About .WAND unlocking instructions.txt,' which is dropped on the infected computer's desktop. The affected PC's desktop also will have its wallpaper image changed into the logo of Anonymous. The victim of the attack will receive the following ransom message, delivered by El:

Many files from the downloads and Documents have been encrypted, follow the instructions if you want to 
recover them.
-send an e-mail to: gktlc5a@protonmail.com and hackcwand@protonmail.com
-Deposit the money in the account provided in our e-mail response.
-input the password you recieve after payment has been made.
Community content is available under CC-BY-SA unless otherwise noted.