Shifr RaaS is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on June 1, 2017, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Gojdue, ShurL0ckr.
Quick Facts
Ransomware Family
Shifr RaaS
First Seen
June 1, 2017
Known Aliases
GojdueShurL0ckr
How Shifr RaaS Ransomware Works
Targeted Files
https://www.hybrid-analysis.com/sample/d756a216455b7b1fa09935d6de94775200cfb9c80466efc976aed64dd59ce1f7?environmentId=100
https://www.hybrid-analysis.com/sample/7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069?environmentId=120
Requires C&C in TOR
File Encryption Patterns
Shifr RaaS modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..shifr..cypher
Ransom Note and Payment Demands
After encrypting files, Shifr RaaS displays ransom notes demanding payment for file recovery:
fileHOW_TO_DECRYPT_FILES.html
Ransom message:
notes/HOW_TO_DECRYPT_FILES.html
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with Shifr RaaS ransomware:
renamed.exe
h2ydLMS3yQXZxwaomDeGG7qUdvEBGDfNIZK.exe
3V4NK1Q3.exe
myfile.exe
9F2G4EIX.exe
OTN3HCOO.exe
B1T4O4MR.exe
strikerKFwkV.data
4NsXb5kUSTPhk2N6mY3EVtfilvAgCXQPYdF.exe
XMtUyvb39QDILnHbpL9lDDbpIJ72YLL4Ood.exe
samples_09_02_2018 (58)
strike8aE2l2.data
encryption_key
Elastio Can Help You
Don't let Shifr RaaS ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
This Shifr RaaS ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Shifr RaaS.