If
your documents, pictures, or files are encrypted with a [decrypthelper2020@protonmail.com].calix extension,
then your computer is infected with the Calix ransomware.
Calix is a malicious virus that encrypts files on the device or
database that has been infected. It is a ransomware version of Phobos that was
first found on October 3rd, 2019. The ransomware uses AES / RSA ciphers to lock
victim data, tag files with.[Victim
ID].[deccrypthelper2020@protonmail.com].calix extensions, and leave info.txt
and info.hta ransom notes. Such files contain instructions on how to get the
file decryptor and pay a ransom.
When
installed the malicious program encrypts all servers, records, images, programs
and other files in order to prevent the user from accessing them again.The
program is intended to cause the user to be frustrated because it is no longer
possible to open.calix file extension files.
The virus then shows a message from the attackers. The ransomware launches on-screen info.hta file saying "All your files have been encrypted!”.
The
following lines suggest contacting cyber criminals through the email provided:
decrypthelper2020@protonmail.com, specifying the ID in the name of the message.
When 24-hour response is not received, offenders suggest contacting them by
using patern32@protonmail.com address. The cybercriminals demand a
cryptocurrency ransom in Bitcoin. They suggest sending them up to 5 files for
free decryption to show that Calix decryptor exists and is fully functional.
It is
incredibly important to note, however, that if you eventually decide to pay up,
offenders may still refuse to send you decryption tools and forget about you.
Everything they care about is money, and everything they expect is money flow
when they infect your system. Your files are infected with this variant of
Phobos ransomware and you can see the extensions listed on your files without
opening them? Undoubtedly, the Calix ransomware virus must be removed first.
Threat Summary
Name
|
Calix ransomware virus
|
Type
|
Ransomware (Phobos variant)
|
File extensions added
|
[victim’s ID].[contact email].calix
|
Ransom note
|
info.txt and info.hta
|
Damage
|
Data loss – cannot open any files with .calix file extension
|
Distribution methods
|
Hacked RDP connections, malicious emails, compromised downloads from
web
|
Removal
|
Malicious program can be removed, encrypted/effected files can’t be
decrypted.
|
There is no decryption tool available for the
[decrypthelper2020@protonmail.com].calix ransomware. However, you can try
to search these sites for updates:
- https://id-ransomware.malwarehunterteam.com/
- https://decrypter.emsisoft.com/
- https://noransom.kaspersky.com/
- https://www.avast.com/ransomware-decryption-tools
What can I do now?
There are few points you should realize and focus
now. If you are being hit by Calix, there is no way you can decrypt you
effected data on your own. You can minimize the damage by doing the following.
- The first thing you can do in order to minimize the damage is to isolate your network. Cut the internet and disable all outside connections.
- Check if you have updated Anti-virus software installed. Run a full system/network scan on all your machines. The main thing is to remove any suspicious/malicious program, that is trying to effect/encrypt your files. Contact your Antivirus provider and ask for assistance, specific to ransomware attack. Try using an antivirus which is specifically providing you defence from Ransomware attacks.
- If you have the backup of your data, you are safe. You can restore your data or bring back the older/working state of your systems using backup or backup images.
- Older OS (Windows XP, Windows 7) are the most vulnerable to get effected by these ransomwares. It is recommended to use the latest softwares/Operating system which are being supported by their providers.
- NEVER USE REMOTE DESKTOP (RDP) TO ACCESS YOUR NETWORK FROM OUTSIDE WITHOUT A PRIVATE (VPN) NETWORK. Check this Remote desktop vulnerability
- If you think that your network domain has been compromised, then its better to bin your current domain and build a new domain. Once a hacker has the admin access of your domain, there is very little you could do to secure your network, since it has all the powers to play with your network
- DO NOT CLICK ON ANY LINKS RECEIVED ON ANY SUSPICIOUS EMAILS. If you are using Gmail for work/Office365 ad your mail providers, than you may receive spam/phishing emails, which are seem to be from Gmail or Microsoft, often portraying that your account is either compromised or deleted, and you should contact administrator by clicking the link, but they actually contain such viruses. Contact your IT administrator and do not take any action on your behalf.
Adapting the given good practices,
you can save yourself from such ransomware attacks.
If you have any information about
the decryption of this ransomware, then please share with us.
2 comments:
Heard about this one. Looks even worse than Petya/WannacCry. No decryptor available at this moment ;(
Post a Comment