A new cryptovirus is on the loose. Discovered by the malware researcher Michael Gillespie, it is observed that it is themed around the Harry Potter novels. The ransomware uses a file named “voldemort.horcrux”, thus it is dubbed Voldemort ransomware.
The design pattern of the virus code is built upon inversion of control (IoC), which in short means that some functionality is changed due to additional code written by the malware maker. No ransom note and no extension is added, but just a hint of Voldemort’s snake “Nagini” inside the code and an image of the Voldemort character himself.
|Short Description||The ransomware will encrypt your files, while only changing their size.|
|Symptoms||The ransomware does not display a ransom note, and does not place an extension to files, but the data is still encrypted.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Voldemort |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Voldemort.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Voldemort Virus – Spread
The Voldemort virus uses multiple ways to spread itself. The most popular one is with spam email campaigns which distribute the payload file of the ransomware in question. This type of email will try to make you believe that some urgent message or program is contained in the attached file which comes with the e-mail. In actuality, the attached file might look harmless, but the malicious payload of the virus will be inside. If you open the file, which is in most cases an executable, your computer machine will be infected and your data will get encrypted.
Other infection methods for the Voldemort virus could be in motion, that use social media networks and file sharing services. The malware maker could have put the malicious files on every such platform, as an extra way to infect unsustepcting users. Be careful when surfing the Web and avoid suspicious e-mails, files or links. Perform checks of all files that you have downloaded for their signatures, size, and do a scan with security software. You should read more tips to prevent ransomware in that forum topic.
Voldemort Virus – More Information
The Voldemort cryptovirus is a very strange ransomware as it does not create a ransom note with payment instructions, neither does it add any extension or prefix to the files it encrypts. The malware researcher Michael Gillespie has found the ransomware in the wild, so its still soon to say what damage might be done to users’ compromised computers. The name comes from the “voldemort.horcrux” created in the C:\temp\ directory and the following image found afterward:
As you can see, the ransomware is themed around the Harry Potter fantasy novels written by J. K. Rowling. Specifically around the Voldemort character and his snake “Nagini”, which is included as a name for one of the payload dropping files. These files are mostly found as executables, but users have submitted more than one dropper file:
You can see its detections on VirusTotal here:
The ransomware creates the following entry in the Windows Registry:
Still new, let’s hope the ransomware is decryptable and does not become a bigger threat than it is. The inversion of control (IoC) mechanism shows that the ransomware creator put some thought behind the code, so it might be made by a professional, ratheer than a script-kiddie that is copy-pasting code. The lack of a ransom note seems intentional, so the crypting virus might be made just to encrypt files with no decryption option.
The files which the ransomware encrypts have the following extensions:
→.doc, .docx, .ppt, .pptx, .xls, .xlsx, .bmp, .png, .jpg, .jpeg, .exe, .pdf
Stay tuned for updates, if new activity arises around this malware.
Remove Voldemort Virus and Restore Your Files
If your computer got infected with the Voldemort ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Voldemort.