What is Artemis Ransomware?
Maybe your antivirus launched an alarm saying that it found Artemis, but what is it?
I’m the author of the blog StackZero and in this article I want to describe what is Artemis Ransomware in an informative way.
Before proceeding, I want to just a little introduction to ransomware.
What is a Ransomware?
In a few words ransomware is a type of virus that can encrypt your files and hold them for ransom.
It usually displays a message on your screen that tells you how to pay the ransom and get your files back.
What are famous Ransomwares?
Some famous ransomware includes WannaCry, Petya, and Locky.
- Wannacry is a ransomware crypto-worm that was discovered in May 2017. Its targets are computers running the Microsoft Windows OS. It encrypts users’ data and demands ransom payments in Bitcoin.
- Petya is a ransomware crypto-worm that was discovered in 2016. It encrypts the master boot record to take control of the computer’s startup process and prevents Windows’ boot.
- Locky encrypts files on the victim’s computer, making them inaccessible. The asked ransom for decrypting them has to be paid in cryptocurrency. It was discovered in February 2016.
What is PewPew Ransomware?
Before talking about the more recent Artemis I want to talk about its dad: PewPew.
On the 15th of September GrujaRS announced on Twitter the discovery of a new Ransomware: PewPew.
You can easily identify the infection because it renames files in this way:
.id-XXXXXXX.[pewpew@TuTa.io].abkir where the string composed by the Xs represents a unique victim id.
This ransomware also creates two files in the target directory:
- info-decrypt.txt
- info-decrypt.hta
It gives a ransom message which states that the encryption uses these algorithms:
- AES-256
- RSA-2048
It also tells that the only way to decrypt them is with a decryption tool that can be purchased from PewPew’s developers.
Finally, this message provides two emails to get instructions for the ransom payment that has to be done in Bitcoin.
Now we are ready to understand Artemis!
What is Artemis Ransomware?
On the 18th of March 2021 S!Ri, a security researcher twitted about Artemis: a new variant of PewPew ransomware.
Artemis is very similar to its dad:
- encrypts files
- modifies their filenames
- creates the info-decrypt.hta file
Artemis renames files in this way:
FILENAME-XXXXXX.[khalate@tutanota.com].artemis, where FILENAME is the name of the original file and the Xs string, is the victim’s unique id.
And as its dad, it provides two emails to contact the malware developers.
The main differences, except for the emails and the name of the encrypted files are in the ransom message.
In particular, they don’t talk about their encryption system, and they ask to send 5 files to decrypt as proof of having the decrypting tool.
This is the message you would see:
All your files have been encrypted!
Al your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: khalate@tutanota.com
Write this ID in the title of your message: XXXXXXXXIn case of no answer in 12 hours write us to this e-mail : khalate@protonmail.com
‘You have to pay for decryption n Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt al your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption, The total size of files must be less than 4Mb (non archived), and files should not contain
valuable information. (databases backups, large excel sheets, et.)How to obtain Bitcoins
‘The easiest way to buy bitcoins LocalBitcoins site. You have to register, click Buy bitcoins’, and select the seller by payment method and price.
https:/localbitcoins.com/buy icons
‘Also you can find other places to buy Bitcoins and beginners guide here:Attention!
© Do not rename encrypted files.
(© Do not try to decrypt your data using third party software, it may cause permanent data loss.
(© Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
How to protect yourself!
This ransomware is mainly delivered by using social engineering and malspam.
So the best defense is prevention and good cybersecurity awareness. However in case of a successful attack, never pay the ransom, the best way to recover your files is to recover a backup. Always ask for professional help in this cases.
Conclusion
In conclusion, ransomware is a critical threat to businesses and individuals alike and as I said, the best defense is prevention.
So being a bit paranoid can be a quality in the cybersecurity field!
If you like my work, feedback and a follow would be appreciated and can help me a lot to improve my content.
If you are interested in cybersecurity from a bit more technical point of view, pleas visit my blog Stackzero.net.
If you want to subscribe to Medium, consider to use my referral link, it’s not an additional cost for you but would be a big help for me.
