SUKA ransomware is file-encrypting malware that belongs to the Dharma ransomware family. The gang behind Dharma have released numerous ransomware, which can be differentiated by the extensions added to encrypted files. This ransomware adds .[firstname.lastname@example.org].SUKA.
SUKA ransomware is malware that encrypts files, is from the notorious Dharma ransomware family. The gang behind this ransomware have released many ransomware versions, including Cvc, ZIN, World, SWP, Dex, MUST, RXD, and Elvis. The versions can be identified by the extensions added to encrypted files. Because this one adds .[email@example.com].SUKA, it’s known as SUKA ransomware. When files are done being encrypted, a pop-up ransom note will appear, and a FILES ENCRYPTED.txt will be dropped. Both notes contain firstname.lastname@example.org as the contact email for victims who want to buy the decryptor. The pop-up ransom note contains more information but still does not name the price users need to pay to get a decryptor. Whatever the price may be, paying the ransom is very risky. Users need to keep in mind that they are dealing with cyber criminals, and whether they send the decryptor once payment is made likely depends on how obligated to help they are feeling at the moment. There’s really nothing guaranteeing that paying will lead to a decryptor. Furthermore, by paying users are essentially financing future criminal activities.
If users have backup, file recovery will not be an issue. However, users should first make sure to fully remove SUKA ransomware from their computers. Otherwise, the ransomware could encrypt the files in backup.
If users do not have backup and are out of options, they should back up encrypted files and occasionally check for a decryptor on NoMoreRansom. If a decryptor was to be released by malware researchers or anti-virus vendors, it would likely be available on there. There is a decryptor available for some Dharma versions but it will not work on SUKA ransomware.
How does ransomware infect a computer?
Users with bad browsing habits have a much higher chance to pick up some kind of malware infection. Mainly because they open unsolicited email attachments without first checking them, and download torrents.
Opening malspam is often how users get infected with ransomware. When users download and open the attachments in the malicious emails, they end up initiating the malware. Malicious actors buy bulks of email address from hacker forums, so if a user’s email addresses has been leaked or part of a data breach, he/she is likely to receive malspam at some point. But if users learn to recognize the signs of a potentially malicious email, they should be able to avoid opening malicious ones. Among the most noticeable signs are random senders’ email addresses, grammar and spelling mistakes, and strong pressure to open the email attachments. While malspam will be pretty obvious in most cases, some attempts may be more sophisticated. Thus, it’s highly recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.
Users who download copyrighted content via torrents are also at more risk to pick up malware. It’s no secret that most torrent sites are not regulated properly, which cyber crooks take full advantage of. Torrents for popular movies, TV series, video games, software, etc., often contain malware. The more popular something is, the more likely that a torrent for it will contain malware. So if users want to avoid malware, they need to stop pirating, especially via torrents.
What does ransomware do?
When ransomware enters a computer, it will immediately start encrypting files. Users will immediately notice once it’s done because all encrypted files will have an extension added to it. If the extension is .uniqueID.[email@example.com].SUKA, users are dealing with SUKA ransomware. Unique ID represents the ID ransomware assigns to each victim. For example, image.jpg would become image.jpg.uniqueID.[firstname.lastname@example.org].SUKA. Users will not be able to open files with that extension until they are first decrypted.
The ransomware drops a FILES ENCRYPTED.txt text ransom note, as well as shows a pop-up one. The pop-up ransom note contains very little information, only the contact email address (email@example.com or firstname.lastname@example.org) and users unique IDs, which need to be included in the email if victims decide to contact the cyber crooks behind this ransomware.
The ransom sum victims would need to pay is not mentioned in the ransom note, though it will likely be a couple of thousand dollars. But as we said above, paying the ransom is usually not recommended because there are no guarantees that a decryptor will actually be sent. Furthermore, as long as users continue to pay the ransom, ransomware will continue to be a problem.
At this moment in time, only users who have backup can currently recover files for free.
The text from the pop-up ransom note is below:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email email@example.com YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:firstname.lastname@example.org
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
SUKA ransomware removal
Users are strongly encouraged to use anti-virus to remove SUKA ransomware from their computers. Otherwise, they might end up causing even more damage. As soon as the ransomware is no longer present, users can connect to backup to start recovering files.
SUKA ransomware is detected as:
- Win32:RansomX-gen [Ransom] by Avast/AVG
- Trojan.Ransom.Crysis.E by BitDefender
- A Variant Of Win32/Filecoder.Crysis.P by ESET
- Trojan-Ransom.Win32.Crusis.to by Kaspersky
- Trojan.Ransom.Crysis.E (B) by Emsisoft
- Ransom-Dharma!2D2A721BE629 by McAfee
- Ransom:Win32/Wadhrama!hoa by Microsoft
- Ransom.Win32.CRYSIS.SM by TrendMicro
- Ransom.Crysis by Malwarebytes