FANDOM


EncryptedServer2018 is ransomware that runs on Microsoft Windows. It is aimed at English-speaking users.

Payload

Transmission

EncryptedServer2018 is distributed through hacking through an insecure RDP configuration, it can also be spread by email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers.

Infection

EncryptServer2018 will target a wide variety of file types, including images, videos, music and numerous others. The file types below are examples of the files that may be at risk in infections like EncryptServer2018:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, 
.aepx, .aet, .ai, .aif, .as, .as3, .asf, 
.asp, .asx, .avi, .bmp, .c, .class, .cpp, 
.cs, .csv, .dat, .db, .dbf, .doc, .docb, 
.docm, .docx, .dot, .dotm, .dotx, .dwg, 
.dxf, .efx, .eps, .fla, .flv, .gif, .h, 
.idml, .iff, .indb, .indd, .indl, .indt, 
.inx, .jar, .java, .jpeg, .jpg, .js, .m3u, 
.m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, 
.mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, 
.pdf, .php, .plb, .pmd, .png, .pot, .potm, 
.potx, .ppam, .ppj, .pps, .ppsm, .ppsx, 
.ppt, .pptm, .pptx, .prel, .prproj, .ps, 
.psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, 
.sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, 
.tif, .txt, .vcf, .vob, .wav, .wma, .wmv, 
.wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, 
.xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, 
.xlw, .xml, .xqx, .xqx, .zip.

EncryptServer2018, like most other encryption ransomware Trojans, will delete the Windows Shadow Volume Copies and the System Restore points, with the goal of holding the victim's files hostage.

EncryptServer2018 will threaten the victims with the permanent loss of their data unless a ransom is paid. EncryptServer2018 will mark the files encrypted by the attack by adding the file extension '.2018' to the affected file's name and renaming the affected files following the pattern:

[32 RANDOM CHARS] ID [8 RANDOM CHARS].2018

EncryptServer2018 delivers a ransom note in a text file named 'Attention!!!!.txt,' dropped onto the infected computer. The full text of EncryptServer2018 ransom note reads:

Attention !!!
All your files on this server have been encrypted.
Write this ID in the title of your message
To restore the files need to write to us on e-mail: tornado_777@aol.com or BM-
2cXXgKAo8HzUmijt8KMywZYHm8xDHhxwZg@bitmessage.ch
The price for restoration depends on how quickly you write tous.
After payment we will send you a decryption tool that willdecrypt all your files.
GUARANTEES!!!
You can send us up to 3 files for free decryption.
-files should not contain important information
-and their total size should be less than 1 MB
HOW TO OBTAIN BITCOINS!!!
The easiest way to buy bitcoins is the LocalBitcoins website.
You need to register, click "Buy bitcoyne" and select theseller
by method of payment and price
https://localbitcoins.com/buy_bitcoins
IMPORTANT !!!
Do not rename encrypted files
Do not try to decrypt your data with third-party software,this can lead to permanent data loss!
Your ID [redacted]
Community content is available under CC-BY-SA unless otherwise noted.