‘.excuses File Extension’-Threat In Detail
‘.excuses File Extension’ is the Ransomware threat became active on April 2nd, 2018. The name of the ransomware threat is given by the file extension ‘.excuses’ appended by the threat after the encryption been done.
‘.excuses File Extension’ is written on HiddenTear open-source code project. And is being distributed through spam mail attachments and exploits. Once installed, it targets files of various extensions to encrypt data like documents, images, videos, audio, pdfs and many more.
The targeted extensions are:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
After the encryption been done the files are appended with ‘.excuses’ extension. For example: ‘blackpanther.jpg’ is renamed to ‘blackpanther.jpg.excuses’. The encrypted files are no more accessible by any media or applications.
‘.excuses File Extension’ Ransomware deletes the shadow volume copies of the encrypted files and also may hinder the Window’s system recovery feature. The threat reboots the machine after the successfully completion of the encryption process.
‘.excuses File Extension’ Ransomware leaves the ransom note on the desktop of the attacked computer named as ‘MESSAGE.txt’.
The text in the ransom note appears as:
‘Приобрести декриптор можно до 02.04.2018
Запросить стоимость: firstname.lastname@example.org
В ТЕМЕ письма укажите ваш ID: [redacted numbers]
Письма без указания ID игнорируются.
Убедительная просьба не пытаться расшифровать файлы сторонними инструментами.
Вы можете их окончательно испортить и даже оригинальный декриптор не поможет.
Заявки обрабатываются автоматической системой.’
Translated into English:
‘You can buy the decryptor before 04/02/2018
Request cost: email@example.com
In the subject of the letter, indicate your ID: [redacted numbers]
Letters without an ID are ignored.
Please do not try to decrypt files with third-party tools.
You can ruin them entirely and even the original decryptor will not help.
Applications are processed by an automated system.’
Victims of ‘.excuses File Extension’ Ransomware are instructed to contact the authors to the email address ‘firstname.lastname@example.org‘. After that, the authors further instruct the victim on how much ransom to be paid to unlock the files. The ransom should be paid in Bitcoin by transferring them to the said Bitcoin wallet address.
Users are advised not to pay the ransom as there are no any evidences of victims getting back their files after paying the ransom. So its is recommended to try recovering your files from backups and quickly remove ‘.excuses File Extension’ Ransomware from the infected computer.
However, there is no any guarantee that they will decrypt all the files after receiving the payment. Thus, security researchers advise not to pay the ransom to the authors of ‘.excuses File Extension’ and quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.