VoidCrypt Ransomware - What is it?

VoidCrypt ransomware shows to be a strange hybrid of corporate-aimed ransomware and one targeted at individuals. Nonetheless, that brought them enough money and ill fame, so that trick may be counted as successful.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner and Online Virus Scanner.

About VoidCrypt Ransomware - What is it? Keep Your Privacy Well

VoidCrypt Ransomware

April 19, 2023

VoidCrypt is a ransomware group that aims at single users. Besides this fact, this ransomware uses several features that are more typical for corporate-oriented viruses.

At the glance, this ransomware has no contrasting elements compared to other ransomware variants, aimed at individuals. Just like STOP/Djvu, it uses AES-256 encryption for file ciphering, asks to pay the ransom as soon as possible (or the sum will double), and does not touch your personal data. Meanwhile, in addition to AES encryption, VoidCrypt also makes use of RSA cipher, which makes the decryption almost impossible. In fact, there is no need to do it - the AES cipher is impossible to hack with the widespread methods, such as brute force or guessing.

Another thing that is more typical for corporations-oriented ransomware is the spreading method. Typically, almost all ransomware families that infect individual users, usually choose the software from dubious sources as a distribution method. Malicious code is hidden inside the application you get for free, instead of purchasing it on the official website. VoidCrypt uses email spamming to get into the users’ computers. That method is pretty effective against corporations, especially ones that have a lot of communication through email. With the single users, this spreading way is effective, too, but much less than the aforementioned dubious software.

Technical details

NoteDecryption-Info.HTML
File pattern%file_name% . %original_extension% . [%contact_email%]
AlgorithmAES-256+RSA-2048
FeaturesRansomware is oriented on individuals, but uses features that are more typical for corporations-oriented ransomware
DamageDisables Volume Shadow Copies and Microsoft Defender
DistributionEmail spam, phishing

Third thing that is not usual for such ransomware as VoidCrypt is so-called ransom sum hiding. You cannot see the sum fraudsters launder, but can see the threat that it will double in case you will not pay the ransom during two days. The exact sum is different from one victim to another, so you never know how much the fraudsters will charge for your files. Since this ransomware, just like a lot of other ones, uses a ransomware-as-a-service (RaaS) distribution scheme, the ransom sums may differ just because different “teams” distributed the same malware variant.

Ransom note of VoidCrypt is next:

'Your Files has Been Encrypted
Your Files Has Been Encrypted with AES + RSA Algorithm
If You Need Your Files You Have To Pay Decryption Price
You can Send Some Little Files Less Than 1MB for Test (The Test Files Should not Contain valuable Data Like Databases Large Excel Sheets or Backups
After 48 Hour Decryption Price Will be Doubled so You Better Contact us Before Times Up
Using Recovery Tools or 3rd Party Application May cause Damage To Your Files And increase price
The Steps You Should Do To Get Your Files Back:
1- Contact Email on Files And Send ID on The Files Then Do agreement on a Price
2- Send Some Files for Decryption Test ( Dont Pay to Anyone Else who is Not Able to Decrypt Your Test Files!)
After Geting Test Files Pay The price in Bitcoin And Get Decryption Tool + RSA key
Your Case ID :
Our Email : *********@gmail.com
In Case Of No Answer : *********@mail.ru and *************@protonmail.com.'

Based on the fact that one of the contact emails belongs to the @mail.ru domain, we can suppose that VoidCrypt has its origins in the Commonwealth of Independent Countries. Mail.ru is a social network that contains a lot of things, and also offers the email service - with the email box domain of @mail.ru. They have less than 5% of users from English-speaking countries, so there is a very high chance that these crooks hide somewhere in Russia, Ukraine or Belarus.