April 19, 2023
At the glance, this ransomware has no contrasting elements compared to other ransomware variants, aimed at individuals. Just like STOP/Djvu, it uses AES-256 encryption for file ciphering, asks to pay the ransom as soon as possible (or the sum will double), and does not touch your personal data. Meanwhile, in addition to AES encryption, VoidCrypt also makes use of RSA cipher, which makes the decryption almost impossible. In fact, there is no need to do it - the AES cipher is impossible to hack with the widespread methods, such as brute force or guessing.
Another thing that is more typical for corporations-oriented ransomware is the spreading method. Typically, almost all ransomware families that infect individual users, usually choose the software from dubious sources as a distribution method. Malicious code is hidden inside the application you get for free, instead of purchasing it on the official website. VoidCrypt uses email spamming to get into the users’ computers. That method is pretty effective against corporations, especially ones that have a lot of communication through email. With the single users, this spreading way is effective, too, but much less than the aforementioned dubious software.
|File pattern||%file_name% . %original_extension% . [%contact_email%]|
|Features||Ransomware is oriented on individuals, but uses features that are more typical for corporations-oriented ransomware|
|Damage||Disables Volume Shadow Copies and Microsoft Defender|
|Distribution||Email spam, phishing|
Third thing that is not usual for such ransomware as VoidCrypt is so-called ransom sum hiding. You cannot see the sum fraudsters launder, but can see the threat that it will double in case you will not pay the ransom during two days. The exact sum is different from one victim to another, so you never know how much the fraudsters will charge for your files. Since this ransomware, just like a lot of other ones, uses a ransomware-as-a-service (RaaS) distribution scheme, the ransom sums may differ just because different “teams” distributed the same malware variant.
Ransom note of VoidCrypt is next:
'Your Files has Been Encrypted Your Files Has Been Encrypted with AES + RSA Algorithm If You Need Your Files You Have To Pay Decryption Price You can Send Some Little Files Less Than 1MB for Test (The Test Files Should not Contain valuable Data Like Databases Large Excel Sheets or Backups After 48 Hour Decryption Price Will be Doubled so You Better Contact us Before Times Up Using Recovery Tools or 3rd Party Application May cause Damage To Your Files And increase price The Steps You Should Do To Get Your Files Back: 1- Contact Email on Files And Send ID on The Files Then Do agreement on a Price 2- Send Some Files for Decryption Test ( Dont Pay to Anyone Else who is Not Able to Decrypt Your Test Files!) After Geting Test Files Pay The price in Bitcoin And Get Decryption Tool + RSA key Your Case ID : Our Email : *********@gmail.com In Case Of No Answer : *********@mail.ru and *************@protonmail.com.'
Based on the fact that one of the contact emails belongs to the @mail.ru domain, we can suppose that VoidCrypt has its origins in the Commonwealth of Independent Countries. Mail.ru is a social network that contains a lot of things, and also offers the email service - with the email box domain of @mail.ru. They have less than 5% of users from English-speaking countries, so there is a very high chance that these crooks hide somewhere in Russia, Ukraine or Belarus.