The Cdaz virus, known as a ransomware, is part of the STOP family. This malware family is known for malignant file encryption operations. Once the Cdaz virus gets into a system, it scans the system for files such as photos, videos, documents, and more. It modifies the file structure and adds the “.cdaz” extension to each encrypted file, making them unusable without the decryption.
About Cdaz virus
The Cdaz virus is a type of malware that ciphers your files and forces you to pay for their restoration. This ransomware ciphers different file types. Encrypted files can be identified by a distinct “.cdaz” extension. The files touched by ransomware become impossible to access and use.
After that, the ransomware demands a file decryption payment in Bitcoin from the victims, that ranges from $490 to $980, depending on the time passed after the attack. Typically, a text file with ransom payment guidances is named as “_readme.txt“.
Cdaz Ransomware works with Salsa20 encryption algorithms to scramble the contents of the targeted files. Since Cdaz virus uses such a strong ciphering method, it becomes quite hard, if not impossible, to pick the decryption key without the assistance of the attackers.
Once Cdaz malware finishes the encryption, it shows a ransom note to the victim, asking for a ransom payment for the decryption key. The ransom note provides instructions on the ways of making the payment and often includes threats of system wipeout or ransom amounts surge if the demands are not met within a specified timeframe.
Cdaz employs a unique key for every victim, with one exception:
If Cdaz fails to establish a connection with its command and control server (C&C Server) before starting the encryption process, it uses offline keys. An offline key is not unique and is the same for all users, which allows for the decryption of files encrypted by the ransomware.
The Cdaz virus is highly similar to other DJVU ransomware samples like Isak, Cdmx, Cdqw, and Lomx. This virus encrypts a wide range of common file types and appends its distinct “.cdaz” extension to all files. For instance, a file named “1.jpg” would be altered to “1.jpg.cdaz” and “2.png” to “2.png.cdaz“.
Upon successful encryption, the virus creates a special text file named “_readme.txt” and places it in every folder containing the encrypted files. It also adds the readme file to the desktop, so the victim will not miss its appearance even without opening folders.
Cdaz ransomware arrives as a set of operations that are needed to perform certain tasks on a victim’s computer. One of the initial ones being launched is winupdate.exe, a deceptive process that shows a fake Windows update notification during the attack. That is needed to convince the victim that a sudden computer slowdown is caused by a Windows update.
Meanwhile, the ransomware runs another process (usually named by four random characters) which starts scanning the PC for target files and encrypting them. Next, the ransomware deletes Volume Shadow Copies from the system by the following CMD command:
vssadmin.exe Delete Shadows /All /Quiet
Once removed, it becomes virtually impossible to retrieve the previous computer state using System Restore Points. The problem is, ransomware operators are eliminating any built-in Windows methods that could assist the victim to recover files for free. In addition, the hackers modify the Windows HOSTS file by including a list of domains to it and directing them to the localhost IP. As a result, the victim will face a DNS_PROBE_FINISHED_NXDOMAIN error when trying to access one of the blacklisted websites.
It has come to our attention that ransomware endeavors to block websites that publish various how-to guides for computer users. It is obvious that by limiting specific domains, the crooks are trying to prevent the victim from reaching relevant and helpful ransomware-attack-related information online. This malware also stores two text files on the victim’s computer that offer attack-related information – the victim’s public key and personal ID. These two files are named bowsakkdestx.txt and PersonalID.txt.
After all these modifications, the malware doesn’t cease. Variants of STOP/DJVU have a tendency to deploy Vidar password-stealing Trojan on compromised systems. This threat possesses an extensive list of capabilities, including:
- Infiltrating the victim’s computer with malware and executing it to gain unauthorized access.
- Obtaining unauthorized access to login credentials of Steam, Telegram, and Skype.
- Manipulating and viewing files on the victim’s computer without their knowledge.
- Stealing cryptocurrency wallets from the victim’s system.
- Granting the hackers remote control over the victim’s computer for various malicious activities.
- Extracting sensitive information such as browser cookies, saved passwords, and browsing history.
Getting the online decryption key in another way is also merely impossible. It is stored on a server controlled by the crooks who spread the Cdaz malware. For receiving decryption key the payment should be $980. To see the payment details, the victims should contact the hackers by email (support@fishmail.top).
The message by the ransomware states the following information:
ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-WJa63R98Ku
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
support@fishmail.top
Reserve e-mail address to contact us:
datarestorehelp@airmail.cc
Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
To Remove and Decrypt Cdaz virus Visit:
No comments:
Post a Comment