Razor

Also known as: Razor

Razor was discovered by dnwls0719, it is a part of Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (make them unusable/inaccessible), change their filenames, create a ransom note and change victim’s desktop wallpaper. Razor renames files by appending the “.razor” extension to their filenames. For example, it renames “1.jpg” to “1.jpg.razor”, and so on. It creates a ransom note which is a text file named “#RECOVERY#.txt”, this file contains instructions on how to contact Razor’s developers (cyber criminals) and other details. As stated in the “#RECOVERY#.txt” file, this ransomware encrypts all files and information about how to purchase a decryption tool can be received by contacting Razor’s developers. Victims supposed to contact them via razor2020@protonmail.ch, Jabber client (razor2020@jxmpp.jp) or ICQ client (@razor2020) and wait for further instructions. It is very likely that they will name a price of a decryption tool and/or key and provide cryptocurrency wallet’s address that should be used to make a transaction. However, it is never a good idea to trust (pay) any cyber criminals/ransomware developers. It is common that they do not provide decryption tools even after a payment. Another problem is that ransomware-type programs encrypt files with strong encryption algorithms and their developers are the only ones who have tools that can decrypt files encrypted by their ransomware. In most cases victims have the only free and safe option: to restore files from a backup. Also, it is worth mentioning that files remain encrypted even after uninstallation of ransomware, its removal only prevents it from causing further encryptions.

Introduction

Razor was discovered by dnwls0719, it is a part of Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (make them unusable/inaccessible), change their filenames, create a ransom note and change victim’s desktop wallpaper. Razor renames files by appending the “.razor” extension to their filenames. For example, it renames “1.jpg” to “1.jpg.razor”, and so on. It creates a ransom note which is a text file named “#RECOVERY#.txt”, this file contains instructions on how to contact Razor’s developers (cyber criminals) and other details. As stated in the “#RECOVERY#.txt” file, this ransomware encrypts all files and information about how to purchase a decryption tool can be received by contacting Razor’s developers. Victims supposed to contact them via razor2020@protonmail.ch, Jabber client (razor2020@jxmpp.jp) or ICQ client (@razor2020) and wait for further instructions. It is very likely that they will name a price of a decryption tool and/or key and provide cryptocurrency wallet’s address that should be used to make a transaction. However, it is never a good idea to trust (pay) any cyber criminals/ransomware developers. It is common that they do not provide decryption tools even after a payment. Another problem is that ransomware-type programs encrypt files with strong encryption algorithms and their developers are the only ones who have tools that can decrypt files encrypted by their ransomware. In most cases victims have the only free and safe option: to restore files from a backup. Also, it is worth mentioning that files remain encrypted even after uninstallation of ransomware, its removal only prevents it from causing further encryptions.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • S-Type:
  • ClientMesh:
  • CyberGate:
  • Cyber Eye RAT:
  • DesktopNow:
  • Revenge-RAT:
  • Client Maximus:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.