Apocalypse targets Windows OS and the method of distribution is currently unknown. Once installed, this variant stores itself on c:\Program Files (x86)\windowsupdate.exe, creates an autorun file named “Windows Update Svc,” and proceeds to encrypt targeted files. Apocalypse appends all encrypted files with the following extensions: .encrypted, .SecureCrypted, .bleepYourFiles, Wheres_my_files.txt, or .F***YourData (expletive removed). The ApocalypseVM version appends encrypted files with either .encrypted or .locked. The Al-Namrood version appends files with the extension .unavailable and it primarily infects servers via Remote Desktop Protocol (RDP). The lock screen that Apocalypse displays after the encryption process can be bypassed by booting the infected system into Safe Mode with Networking.

UPDATE 11/15/2016: Kangaroo and Esmeralda are two recently discovered versions of Apocalypse. They append .crypted_file and .encrypted, respectively, to encrypted file names. According to one victim on the Bleeping Computer forums, payment of the ransom for the Kangaroo version resulted in demands for more money and no working decryption key.

UPDATE 12/19/2016: A new version appends .ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13} to encrypted files and drops a ransom note named *md5*.txt.

  • Bleeping Computer provides more information about Apocalypse here and here.
  • Emsisoft provides a decryption tool for Apocalypse, available here.
  • Emsisoft provides a decryption tool for ApocalypseVM, available here.
  • Emsisoft provides a decryption tool for Al-Namrood, available here.

One example of the Apocalypse variant. Image Source: Bleeping Computer