T2021_11 Tip for Acuna Ransomware (13th July 2021)

What is Acuna Ransomware?

The Acuna ransomware is a malicious program belonging to the Phobos ransomware family that encrypts the personal documents found on the victim’s computer, renames it with the victim’s ID and appends the extension “[Cusapool@firemail.cc].Acuna”. It then displays a message (ransom note) which offers to decrypt the data if

payment is made. The instructions are placed on the victim’s desktop as an “info.hta” pop-up window and in an “info.txt” text file.

Ransom notes contain an email address that can be used to contact the attackers; the price of a decryption tool (software, key); payment deadline; cryptocurrency wallet address; and other details. As written in Acuna's ransom notes, victims have to send the provided ID to cusapool@firemail.cc, zezoxo@libertymail.net, or to thetogerpo@zohomail.eu email address; or send it to @zezoxo via Telegram messenger. They can attach up to five encrypted files as well (except databases, backups, Excel files, etc.). In order to prove that the attackers can help victims to decrypt files, they offer to decrypt those files for free. It is also mentioned that a decryption price depends on how fast victims will write an email to the provided addresses (or contact the provided Telegram user). Additionally, one of the ransom notes warns victims not to rename files or decrypt them with third-party software because they may damage files irreversibly.

Detection Names

Some antivirus software are able to detect Acuna with varying detection names. For a list of the detection names, please refer to the following URL:

https://www.virustotal.com/gui/file/c72b7b00c4409b4a499e71527a7965f4bc615abff5 85e83e2605060861b74b9f/detection

Method of Infection

Most cybercriminals use Trojans, malspam, fake software updaters, unofficial software activation tools and unreliable sources for downloading files to distribute their ransomware.

Oftentimes crypto-viruses, like Acuna ransomware or others, sneak into the target computers via spam emails. These deceptive mails are sent on a large scale by cyber criminals who pretend to be from some well-known company, bank or institution. However, they often contain vicious files or a spiteful link. The main motive of such malspam is to trick recipients into downloading the malicious files that will result in the installation of the malware. The attached virulent file could be in any of these formats: executable file (like .exe), Microsoft Office document, RAR, ZIP or another archive file, PDF document, or JavaScript file.

Containment and Recovery

In most cases, victims cannot decrypt files without a unique key or decryption software that only cybercriminals behind ransomware have. There is no guaranteed third-party tool that could decrypt files encrypted by Acuna as well. Recovery tools are advertised as such, to gain attention from users but in fact offer little to no help. Some even come with more malware to further infect your device and may only corrupt your files further. The only way to recover files without paying a ransom is to restore them from a backup.

It is not recommended to pay a ransom because there is no guarantee that the attackers will send a decryption tool. It is common that victims do not receive anything in return, even if they pay a ransom. Further, it is important to note that ransomware should be uninstalled from the infected computer as soon as possible. Otherwise, it may infect more computers (other computers on the same network) or encrypt new files on the already infected computer.

It is never recommended to pay the attackers to decrypt your files, chances are they will take the ransom and vanish or further try to infect and encrypt the same infected device or other devices in the network.

It is advised to always have multiple backups of critical data and at least one backup should be kept offline. This is to ensure that you can always have ways of retaining your data in the event that you either encounter a ransom attack or your files, for some other reason, are inaccessible.

In the event of an Acuna ransomware infection, the below mentioned first steps are recommended:

STEP 1. Isolate the infected device(s):

 i. If logged into any cloud storage, be sure to log out or disconnect from same.

 ii. Disconnect the infected device from the network and the internet. You may even go as far as disabling all     Network Interface Cards. You can follow the link below for instructions on disabling your Network Interface Card.

https://www.minitool.com/news/how-enable-disable-network-adapters-win10- 003.html

iii. Disconnect all External Storage devices

STEP 2. Reimage the infected device(s). You can follow the link below for instructions on reimaging your device.

https://www.ubackup.com/articles/how-to-reimage-a-pc-4348.html

STEP 3. Restore a clean copy of files from backups. You can follow the link below for instructions on how to backup and restore your data.

https://www.pcmag.com/how-to/how-to-back-up-and-restore-an-image-file-of- windows-10

PDF Download: Acuna Ransomware.pdf

References

  • Pilici, Stelian. (2021, March 22). Remove ACUNA ransomware (Virus Removal Guide). Retrieved from malware Tips
    https://malwaretips.com/blogs/remove-acuna- virus/
  • Meskauskas, Tomas (2021, June 13). How to remove the Acuna ransomware? Retrieved from PC Risk:

          https://www.pcrisk.com/removal-guides/20440-acuna-ransomware