Comrade Circle targets Windows OS and is distributed via phishing emails containing Word documents embedded with a malicious macro. Similar to the Fantom variant, Comrade Circle displays a fake “Windows Update” screen during the encryption process and disappears when the process is complete. It looks for files on local drives as well as network shares that are not password-protected. Comrade Circle renames encrypted files using six to sixteen random characters and appends .comrade to the newly created file names. The attackers behind this campaign request that victims send payment directly to a provided Bitcoin wallet address and follow-up with an email providing the personal ID number that is displayed on the ransom note to receive the decryption key. The attackers try to play on victims’ sympathies by claiming they will donate 50 percent of the ransom payment to “poor people” and that they “are good people that help other people with getting a job and making the world better.” The ransom payment demand is currently unknown.
- Enigma Software provides more information about Comrade Circle here.
- The NJCCIC is not currently aware of any free decryption tools for Comrade Circle.