Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Afrodita

From Malware Wiki
Jump to: navigation, search
Afrodita
Image Afrodita.png
Type Ransomware, Trojan
Creator Afrodita Team
Date January 9th, 2020
Origin {{{origin}}}
Programming Language {{{pl}}}
Platform Microsoft Windows
Filetype Win32 PE executable (.EXE)
Alias(es) Ransom.Afrodita(Malwarebytes)
Impact {{{length}}}
Size {{{size}}}
Damage costs {{{cost}}}
MD5 d4b946b51dc21709f87a1a943ad7cbe3
SHA1 8c2a1c67493eff3990ab30862e094c34e6821eea
CRC32 {{{crc32}}}
SHA256 9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b
SSDEEP 6144:EXrm0zIiAhjC7Cqa5ZhiIJDQ13Xdksm1Cx2tJk:EbNQaCq6iIJcdksmJtJ
Authentihash f71115971c95a6c655337f4e91ebd3f22de3d76f00630a82e596b64390b175e4
IMPhash 69b71f038c216af41c1e2e5852fadafb
Vhash 6144:EXrm0zIiAhjC7Cqa5ZhiIJDQ13Xdksm1Cx2tJk:EbNQaCq6iIJcdksmJtJ

Afrodita is a ransomware that runs on Microsoft Windows. It was discovered by S!Ri. It is part of the LockerGoga family. It is aimed at English-speaking users.

Payload

Transmission

Afrodita is distributed through spam campaigns (emails). They send malicious MS Excel documents that are designed to install this ransomware. However, in order for that document to be able to install Afrodita it is required to give it a permission to enable macros commands/editing. Once it is done, this document starts installation of Afrodita.

It can also be distributed by hacking through an insecure RDP configuration, using deceptive downloads, botnets, exploits, malicious ads, web injects, fake updates, repackaged and infected installers.

Infection

It encrypts data with AES-256 and RSA-2048 encryption algorithms. Also, it creates a ransom note, the "__README_RECOVERY_.txt" text file which contains instructions on how to contact cyber criminals for information on how to pay a ransom (buy a decryption tool and key).

In order to prove that developers of Afrodita ransomware can help victims to decrypt their files they offer free decryption of one file. Victims can send it to them through Telegram (hxxps://t.me/RecoverySupport) and afroditateam@tutanota.com, or afroditasupport@mail2tor.com email address. Cyber criminals behind this ransomware claim that to be able to recover the rest of encrypted files victims have to pay a ransom and wait for a decryption tool and/or key. According to them, it is the only way to get the files back. Unfortunately, that is true. Like many programs of this type, Afrodita encrypts files with a strong encryption algorithms that are impossible to 'crack'. In other words, the only way to decrypt files is by using the right decryption tool and/or key that only developers of this ransomware have. They claim that they can be trusted and it is not in their interest not do send decryption tools after a payment. The ransom note says the following:

Vegasfest56 (talk) Greetings Vegasfest56 (talk)

[+] What has happened? [+]

Your files are encrypted, and currently unavailable. You are free to check.
Every file is recoverable by following our instructions below.

Encryption algorithms used: AES256(CBC) + RSA2048 (military/government grade).

[+] Guarantees? [+]

This is our daily job. We are not here to lie to you - as you are 1 of 10000's.
Our only interest is in us getting payed and you getting your files back.

If we were not able to decrypt the data, other people in same situation as you
wouldn't trust us and that would be bad for our buissness --
So it's not in our interest.

To prove our ability to decrypt your data you have 1 file free decryption.

If you don't want to pay the fee for bringing files back that's okey,
but remeber that you will lose a lot of time - and time is money.

Don't waste your time and money trying to recover files using some file
recovery "experts", we have your private key - only we can get the files back.

With our service you can go back to original state in less then 30 minutes.

[+] Service [+]

If you decided to use our service please follow instructions below.

Contact us:

Install Telegram(available for Windows,Android,iOS) and contact us on chat:
Telegram contact: https://t.me/RecoverySupport

Also available at email afroditateam@tutanota.com cc: afroditasupport@mail2tor.com

Make sure you are talking with us and not impostor by requiring free 1 file decryption 
to make sure we CAN decrypt!!