A new EDA2 ransomware was discovered by Michael Gillespie called Ded Cryptor. This ransomware has been around for quite a while and targets both Russian and English speaking victims. When installed, the victims desktop will be changed to show an evil looking Santa having a good time while it encrypts your files.
Ded Cryptor will change the wallpaper of the Windows desktop to an image that contains the ransom amount and the email address, firstname.lastname@example.org, which the victim is told to email for payment instructions.
Though EDA2 ransomware have been commonly seen in the past, this particular variant removed the method that we could use to retrieve the keys. Furthermore, it also contains an unused namespace called DarthEncrypt, which appears to be the malware developer’s attempt to create a new encryption method for the EDA2 ransomware.
How Ded Cryptor Encrypts your Files
At this point, it is currently unknown how Ded Cryptor is distributed. Once installed, it will generate an AES password and then only encrypt the victim’s %UserProfile% folder. When it encrypts a file it will append the .ded extension to it. This means that a file called test.jpg, will be renamed to test.jpg.ded when encrypted. The files types targeted by this ransomware are:
When encryption is finished it will encrypt the AES key with an RSA retrieved from the malware developer’s Command & Control server. This encrypted key will then be sent back up to the Command & Control server. Finally, Ded Cryptor will change the desktop background to show the image above.
Unfortunately, at this time there is no way to decrypt Ded Cryptor files for free. For those who have been affected by Ded Cryptor, we have a support topic here: DED Cryptor Help & Support Topic ( email@example.com / .ded)