AHP ransomware, a malicious program which is part of the Dharma ransomware family, was spotted in September 2020. It particularly infects Windows-based systems. The ransomware is designed to encrypt data and create a ransom note in exchange for decryption tools. The ransomware is delivered through thousands of phishing emails.
It is also spread via other infection vectors such as spam campaigns, illegal activation tools (“cracks”), fake updaters, and untrustworthy download sources.
When the ransomware encrypts the files, they are renamed in the following schema: original filename, a unique ID name given to the victims, cybercriminals’ email addresses, and the “.AHP” extension. For example, a file titled “one[.]jpg” once encrypted would appear like this: “one[.]jpg[.]id-C279F237.[email@example.com].AHP.” Further, ransom notes (fig.1) are made to show up on a pop-up window. The note states that the victim’s data is ‘locked’ and also instructs them to communicate with the cybercriminals behind the ransomware attack, via email. The text presented in the pop-up window provides slightly more information concerning the infection.
Fig.1 Ransom note pop-up window
Indicators of Compromise
1. Encrypted Files Extension – .AHP 2. Cyber Criminal Contact – aihlp24@tuta[.]io | aihlp@protonmail[.]com 3. MD5 –b94264963a9dd9ace614cef5668515da 4. SHA1 – 2f7bc3d3121074c7404e078e313bf6ba7d214f90 5. SHA256 – 5560b7207f4864f73e4331e934d86a381d77a8848e2a7d22bf45e73ab2aa81b5 6. SSDEEP - 1536:mBwl+KXpsqN5vlwWYyhY9S4APmdP1/LutCA3J33fagQqk3DWd9S:Qw+asqN5aW/hLGPZLuV3x3fa48qd9
- Download applications from an authentic source.
- Create a backup for your most important files, on a regular basis.
- Personalize your anti-spam settings.
- Patch and update your software and system.
- Use proper antivirus, one that does not allow unwanted execution.
- Do not click on suspicious links.
- Spread awareness about such threats among users.