Amazon Carding Ransomware–Threat In Detail
Amazon Carding is a Ransomware also named as “The Art of Amazon Carding.pdf.exe“. This crypto-virus is a variant of HiddenTear open-source project and is reported to encrypt files on the victim’s PC. After encrypting the files are locked with “. Locked” extension which means the files are no more accessible to users. Amazon Carding ransomware leaves a random note named as “READ_ME.txt” after encrypting the files and instructs user to contact with the authors via e-mail and get rest of the instructions on how to proceed with the payment process. In any such case, paying ransom is not recommended and users are urged to try restoring the files through other means.
|Name||Amazon Carding Ransomware|
|Description||Amazon Carding Ransomware encrypts files, videos, images and texts stored on the target PC and demand a ransom amount from users to decode the files.|
|Occurrence||spam mail attachments., exploit kits, malicious links and java script codes..|
|Possible Symptoms||The ransom note can be seen on desktop and other file directories and files could not be accessible.|
|Detection Tool||Download the Detection tool– To confirm attack of Amazon Carding Ransomware virus on your computer.|
Amazon Carding Ransomware is distributed through spam mail attachment as a malicious script containing the payloads of the malware which if executed by the user could install the threat onto the computer system. Many cyber-criminals uses spam techniques to trick users by heading the mail as any invoice or shipment. Other sources might include visiting infected websites containing java script codes, exploit kits and spam bots. As you open the document or click the link, the payloads of Amazon Carding Ransomware gets downloaded on the system and installed without any user’s permission. If the user open/execute this file on their device, then the virus gets installed and your PC will become infected with Amazon Carding file-encrypting Ransomware threat.
More about Amazon Carding Ransomware
Amazon Carding Ransomware is a file-encrypting program that is a variant of HiddenTear open-source project. The ransom note contains an image and in the left-bottom corner is written “Fsociety” but the malware researchers have found no relation with it. Once the ransomware is fully installed, it searches for important files on the victim’s PC and encrypts them AES encryption algorithm. The encrypted files gets .Locked extension. And further ask users to pay the ransom to get the decryption key and unlock the files.
The ransomware changes the windows Registry entries to launch each time the window’s starts and takes up huge system resources to encrypt the files. Amazon Carding Ransomware drops file named as READ_ME.txt.
The files contains the ransom note and instructions for users on how to contact the authors of the ransomware and get their files back.
The ransom Note says:
Your Computer has been infected by the Hidden-Tear.
One of the Most powerful Ransomwares Around.
Do NOT panic. Read the READ_ME.txt File on Your Desktop
And follow Instructions to restore Your Computers Files.
The ransom note is inside a file called READ_ME.txt and it reads the following:
Your computer has been LOCKED
Your personal files have been encrypted.
Send Exactly 0.00156 BTC to Wallet ID 19GNGp9DSxEfWVeczhjvqvk4qVWv1fX45B
Then Email Us at firstname.lastname@example.org to Let Us know.
You will need to state Your wallet ID to confirm Payment, After that We will supply You with the Decryption Key And tool.
With love… Hidden Tear Project :’)
The ransom note by Amazon Carding virus states that your documents has been encrypted and you need to pay a ransom in Bitcoins to get back your files. The ransom demands varies for the user and the victims should contact with the provided email address as soon as possible.
List of file extension encrypted
→.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp
Amazon Carding Ransomware uses AES encryption algorithm to encrypt data and appends random extensions to it. The crypto-malware ensures that the user could be able to recover the files from shadow volume copies, so it deletes the files by executing the command
→vssadmin.exe delete shadows /all /Quiet