Cyber Security Center

Delete World ransomware


World ransomware is file-encrypting malware that belongs to the Dharma ransomware family. This ransomware can be differentiated by the .[worldsnake@cock.li].world extension that’s added to encrypted files. It also shows the typical Dharma ransom note that demands users pay a ransom to get the decryptor.

 

Ransomware image

World ransomware is malware that belongs to the Dharma ransomware family, which has released countless ransomware such as SWP, Dex, MUST, RXD, Elvis, and Kut. The ransomware encrypts files, which is why it’s considered to be particularly dangerous. This version can be differentiated from the other Dharma versions by the [worldsnake@cock.li].world extension added to encrypted files. When the ransomware is done encrypting files, it will show a pop-up ransom note, as well as drop a FILES ENCRYPTED.txt text one. The pop-up note explains that victims can initiate file recovery by sending an email to worldsnake@cock.li. If users were to contact the cyber crooks behind this ransomware, they would be requested to pay a ransom. The note does not mention how much the ransom is but it would likely be a couple of thousand dollars. Regardless of how much victims are asked to pay, giving into the demands is generally not recommended.

While whether to pay or not is up to the users themselves, they should be aware that it does not guarantee file decryption. Victims are not always sent decryptors after paying, and this has happened to many users. There is nothing forcing the cyber crooks behind this ransomware to actually keep their end of the deal when they can just take the money. Furthermore, the money would go towards future criminal activities. The reality is that as long as users continue to pay the ransom, ransomware will not go away.

Users can recover files without any issue if they have backup. However, backup should only be accessed when ransomware is no longer present on the computer. If users do not delete World ransomware, the files in backup would become encrypted.

For users who do not have backup, waiting for a free decryptor to become available may be the only option. Users should back up encrypted files and store them somewhere safe. If a decryptor was to become available, it would become available on a site like NoMoreRansom, not some random forum or page. Users should be careful to not download even more malware that’s been disguised as a decryptor.

How does ransomware enter a computer?

Users who have bad browsing habits have a much higher chance of picking up some kind of malware because they open unsolicited email attachments, pirate copyrighted content, click on ads when visiting high-risk websites, and not install important security updates. Developing better habits would allow users to avoid a lot of malware.

Ransomware is often distributed via malspam, which is sent to users whose email addresses are obtained from hacker forums. The emails are usually pretty obvious, if users pay attention to the signs. The emails are made to appear like it’s some kind of official correspondence and put pressure on users to open the attachments by claiming it’s an important document. However, the sender’s email address is often quite random or complete nonsense. Furthermore, the emails themselves are often full of grammar and spelling mistakes. Generally, it’s not difficult to spot a potentially malicious email. But because some malspam may be more sophisticated than others, users should always scan unsolicited email attachments with anti-virus software or VirusTotal before opening them.

If users torrent, they are also risking getting a malware infection. Because torrent sites are not regulated properly, it’s not difficult to upload malicious torrents. It’s very common for torrents for popular movies, TV shows, video games, etc., to contain some kind of malware because those are torrents that users download the most. It’s especially common to find malware in torrents for popular shows like Game of Thrones when they are airing.

Why is World ransomware so dangerous?

As soon as ransomware enters a computer, it will start encrypting files. Like all ransomware, it mainly targets videos, photos, documents, etc., essentially all files users hold most important. All encrypted files will have an extension added to them, and it allows users identify which ransomware they are dealing with. This ransomware adds [worldsnake@cock.li].world. The extension also contains users’ unique IDs. For example, image.jpg would become image.jpg.unique ID.[worldsnake@cock.li].world. When it’s done encrypting files, it will show a pop-up ransom note, as well as drop a FILES ENCRYPTED.txt one. The ransom note contains the contact email address (worldsnake@cock.li) to initiate file decryption, as well as users’ unique IDs, which need to be included when contacting the cyber crooks.

Because this is ransomware, victims can expect to need to pay a ransom. The ransom sum is not mentioned in the note but it will likely be somewhere between a couple of hundred to a couple of thousand dollars. Whatever the sum may be, paying is not recommended because it will not guarantee file decryption. The cyber crooks behind this ransomware can just not send the decryptor.

Here is the ransom note dropped by World ransomware:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email worldsnake@cock.li YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:worldsnake@cock.li
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Only users who have backup can currently recover files for free.

World ransomware removal

It is strongly recommended to use anti-malware software to remove World ransomware because it’s a complicated malware infection. Unfortunately, removing the ransomware does not decrypt files.

World ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by AVG/Avast
  • Trojan.Ransom.Crysis.E by BitDefender
  • Ransom.Crysis by Malwarebytes
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom-Dharma!F0742016D139 by McAfee
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan.Ransom.Crysis.E (B) by Emsisoft