Wrui Ransomware, a Variant of the Stop/Djvu Ransomware Family, Continues the Destructive Tradition of Its Predecessors
The WRUI ransomware is thought to be the 294th variant of the STOP/DJVU Ransomware family. It was programmed to encrypt files on the victim’s computer using the RSA algorithm while marking each file with the telltale .wrui extension to distinguish its encryption. For example, a file called Picture.jpg becomes Picture.jpg.wrui after a successful attack. The ransomware also drops a _readme.txt file in every affected folder.
The STOP/Djvu Ransomware family has persisted strongly among hackers and is still unleashing new versions in the wild, although Wrui Ransomware basically operates as a simple variant absent from any major improvements or deviations from the established code. This, however, does not prevent Wrui Ransomware from still causing a massive amount of damage to your personal files.
Victims quickly notice that nearly all of their files have become inaccessible and suddenly unusable. The only files that the ransomware avoids encrypting are necessary for critical system processes, as encrypting those files would immediately render the entire system unstable. Like in most cases, the end game for hackers is to extort money from victims in exchange for a decryption key for the victims’ locked data.
In addition to finding ‘.wrui’ attached to the original files’ names, victims also find the ransom note inside text files named ‘_readme.txt’ left in every affected folder on the PC to ensure that the victim gets the message. Per the note, the hackers expect to receive the sum of $980 to restore files. The hackers are also willing to cut that payment by 50% to $490 if they receive communication from their victims within the first 72 hours after infection. The hackers provide 2 email addresses, ‘helpteam@mail.ch’ and ‘helpmanager@airmail.cc.’ Victims can attach a single non-critical file to their email message that, allegedly, will be decrypted for free as proof that the remaining files can be restored as well.
The full text of the Wrui Ransomware ransom note reads:
‘ATTENTION! Don’t worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: hxxps://we.tl/t-MWDNpfphPO. Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours. To get this software you need write on our e-mail: helpteam@mail.ch Reserve e-mail address to contact us: helpmanager@airmail.cc Your personal ID:’
As always, we do not recommend paying the ransom and would offer that the best prevention of Wrui Ransomware comes with arming your computer with a reputable malware remediation tool. Also, remember always to keep copies of important photos, documents, and other personal files safe using cloud storage or secure external drives. If you have backups, you will not need to fear losing important files in case ransomware attacks again.
To learn about more types of ransomware and how to protect your system from them, visit our detailed ‘How to’ guides and best practices suggestions in our dedicated ransomware section.
