Cyber Security Center

Delete Woodrat ransomware


Woodrat ransomware is file-encrypting malware. It adds the .woodrat extension to encrypted files, which is why it’s known as Woodrat ransomware. Drops the LOCKED_README.txt ransom note.

 

Screenshot (30)

Woodrat ransomware is malware that encrypts files on an infected computer. Detected by malware researcher S!Ri, Woodrat ransomware is a dangerous piece of malware that will make files unopenable, until they are decrypted with a special decryption tool. The people behind this ransomware will try to sell the decryptor to victims, though buying it is not recommended.

Victims can tell which ransomware they’re dealing with by the extensions added to encrypted files. In this case, it’s .woodrat. The ransomware drops a LOCKED_README.txt ransom note, which explains that files are not permanently damaged, they’re encrypted. The ransom note explains that if victims want to recover files, they need to send an email to woodratofficial@outlook.com with their ID and Bit Key, and pay a certain amount of the monero cryptocurrency. The ransom amount depends on how long after files are encrypted users wait to contact them. However, paying is not recommended because there are no guarantees that files would be decrypted, or that a decryptor would be sent in the first place.

When possible, malware researchers release free decryptors to help victims recover files. Thus, victims of Woodrat ransomware should regularly check whether a free decryptor has been released. However, it’s worth mentioning that there are many fake decryptors that may install additional malware. For this reason, users should be very careful about where they download decryptors from. Emsisoft, NoMoreRansom, other anti-virus vendors, as well as malware researchers are the only sources that can provide safe decryptors.

If users have the option of recovering files from backup, they should have no issues with that. However, they first need to remove Woodrat ransomware fully. If the ransomware still remains when backup is accessed, the files in backup may become encrypted as well.

Bad browsing habits can often lead to a ransomware infection

Users who don’t have particularly good browsing habits are usually the ones who accidentally pick up an infection. Those bad habits include opening spam email attachments, clicking on ads while on high-risk websites and pirating via torrents. No doing these things can go a long way towards avoiding not only ransomware, but also other kind of malware.

Ransomware is often distributed via spam email attachments. All users need to do to initiate the ransomware is open the attached file and enable macros. Fortunately, most users will be able to spot a malicious email because they are pretty obvious. They’re usually sent from random-looking email addresses, are full of grammar and spelling mistakes, and claim that opening the attached file is essentially because it’s supposedly an important document. Users should be careful with all unsolicited emails with attachments, and always scan those attachments with anti-virus software or VirusTotal.

Users who use torrents to download pirated content are also risking picking up some kind of infection. Forums and sites that host torrents are often poorly regulated, which allows malicious parties to upload malware and disguise it as a torrent for popular content, such as a movie, TV show, game, software, etc. Thus, users are discouraged from pirating via torrents.

What does Woodrat ransomware do?

When the ransomware is initiated, it will start encrypting files. Ransomware usually encrypts files that users find most important, which include photos, videos and documents. Users will be able to tell which files have been encrypted by the .woodrat extension. For example, image.jpg would become image.jpg.woodrat. All files with that extension will be unopenable until they are decrypted with a special tool.

The ransomware will drop a LOCKED_README.txt ransom note, which will provide information on how users can pay to recover files. The price for the decryptor depends on how quickly victims write the cyber criminals behind this ransomware. If it’s within 1-3 days the sum is 1.5 xmr (currently $160), if 3-7 days – 3 xmr (currently  $320) , if within a month – 10 xmr (currently  $1070). Paying the ransom is not recommended because there are no guarantees that a decryptor would be sent. Users should keep in mind that they are dealing with cyber criminals, and there really is no way of knowing whether they would actually send a decryptor, seeing as they will likely not feel obligated to do so. Many users in the past have not received a decryptor, so victims are always discouraged from paying. Paying also encourages cyber crooks to continue, so as long as people pay the ransom, ransomware will continue to be a problem.

Here is the ransom note dropped by Woodrat ransomware:

Ooops, all your files are encrypted, that means you can’t use them for a while!!!
They are not perpmanently lost, for there’s a special key to get them back.
You can try all the ways you have to decrypted your files, but it’s just a waste of time,
eventually you will know there’s no other way but to contact us for help.
With our help, you could get your files back within a hour, but you need to follow the instructions below :
[1] Send an email to the addr below :
woodratofficial@outlook.com
[2] with content of :
*1 your “ID” & “BIT KEY” located in “LOCKED_README.txt”
*2 The amount of files encrypted and the finish time(I have ways to figure out the finish time, so think twice)
[3] Then, there’s two choices :
*1 [recommended] pay us immediately, so we’ll help you decrypt as soon as the payment was conformed
*2 wait for our reply(need a lot of time)
* the first method was recommended for you have limited amount of time
* if you’d like to test some files, you can send them to us via mail,but here’s the limtation :
* quantity <= 4 and total file size <= 4mb
[*] send xmr to the addr below :
41k9ry6hQUZLJJd9ZEJpPVXNuUVjRNJGkPbroMf XJVf6DsqHfJ6Sro2LHJzr6wuvXwE5kS7c9Azni2F8srmGScU5Fzu9P2C
more detail about xmr purchasing, visit hxxps://www.getmonero.org/ or just use search engine for ‘buy xmr’
if you have future questions, it’s welcome to send us a mail!
[*] here’s the price, notice : you only have limited amount of time
=====================================================
= encrypted in 1-3 days – 1.5 xmr to get decrypt =
= encrypted in 3-7 days – 3 xmr to get decrypt =
= encrypted in a month – 10 xmr to get decrypt =
= encrypted over a month – never get decrypt =

Woodrat ransomware removal

Users should use anti-virus software to delete Woodrat ransomware. Manual removal is very complicated so regular users should not attempt it. Unfortunately, removing the ransomware does not mean files would automatically become decrypted.

Woodrat ransomware is detected as:

  • Win32:Trojan-gen by AVG/Avast
  • Trojan.GenericKD.34686589 by BitDefender
  • Trojan.GenericKD.34686589 (B) by Emsisoft
  • A Variant Of Win32/Packed.VMProtect.LL by ESET
  • Ransom.Panther by Malwarebytes
  • Trojan:Win32/CryptInject!ml by Microsoft
  • Trojan.Win32.Zudochka.eye by Kaspersky