Angry Duck is a ransomware on Microsoft Windows that encrypts files using AES-512 cryptography. It was discovered by Michael Gillespie. It has some odd quirks in its ransom note. These oddities make it apparent that Angry Duck was created by amateurs that may be using some ransomware toolkit or RaaS (Ransomware as a Service) utility to create their attacks. It is aimed at English-speaking users, and its tone is more humorous compared to some other ransomware.
Angry Duck was first created on August 23rd, 2016, but went in the wild after almost 2 months.
Using corrupted email attachments, often in the form of corrupted Microsoft Office or PDF files, may spread the Angry Duck Ransomware.
Apart from the corrupted email and social media messages, Angry Duck may also spread through corrupted online advertising or by hacking into the victim's computers directly.
Angry Duck attack is rudimentary when compared to some of the most threatening ransomware Trojans in the wild although Angry Duck does carry out an attack that is reasonably effective.
During encryption, Angry Duck appends the names of encrypted files with a ".adk" extension. For example, "sample.jpg" is renamed to "sample.jpg.adk". Angry Duck Ransomware is not capable of encrypting data located on external memory drives, removable media, or network drives, unlike other, more harmful ransomware. The Angry Duck Ransomware targets the following file types:
.3GP, .7Z, .AVI, .BMP, .CSV, .DJVU, .DOCM, .DOC, .EPUB, .DOCX, .FLV, .GIF, .IBOOKS, .JPEG, .JPG, .MKV, .MOV, .MP3, .MP4, .MPG, .MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT .PPTX, .PPSX, .RTF, .TIFF, .TIF, .TORRENT, .TXT, .VSD, .WMV, .XLS, .XLSX, .XPS, .XML.
Following successful encryption, Angry Duck also changes the desktop wallpaper to a picture of an angry duck which reads:
*** ANGRY DUCK *** All your important files have been encrypted using very strong cryptography (AES-512 with RSA-64 FIPS grade encryption) To recover your files, send 10 BTC to my private wallet. DON’T MESS WITH THE DUCKS!!!
The new wallpaper contains a ransom-demand message stating that files are encrypted and that the victim must pay a ransom of 10 Bitcoins (currently equivalent to ~$6484). As compared to other viruses of the same type, Angry Duck's ransom is large (the size of these ransoms usually fluctuates between .5 and 1.5 Bitcoin). Unfortunately, no further information is provided (such as where to send Bitcoin payment, how to decrypt files, time frame until the deletion of the decryption key, etc.) AES is asymmetric cryptography and, thus, the encryption and decryption keys are identical, however, all keys are stored on remote servers controlled by cybercriminals who encourage victims to purchase them.
Use strong anti-malware software to remove the ransomware.