HC7, also referred to as HC7 GOTYA, targets Windows OS and is distributed manually via Remote Desktop protocol (RDP). Once one system is infected, the ransomware uses the PsExec tool to spread to other systems on the network. HC7 uses AES-256 encryption, appends .GOTYA or .DS335 to the names of files, and drops a ransom note named RECOVERY.txt in each folder where files have been encrypted. The ransom note contains a bitcoin address, victim ID, and contact email address of firstname.lastname@example.org. Payment for file recovery ranges from $700 in bitcoin for one machine to $5,000 in bitcoin for all affected computers on a network.
UPDATE 1/9/2018: A new version appends .PLANETARY to the names of encrypted files and drops a ransom note named RECOVER.txt. Associated email addresses include: email@example.com. In addition to bitcoin, ransom payment is also accepted in Monero and Ethereum.
- Bleeping Computer provides more information on HC7 here.
- The NJCCIC is not aware of any decryption tools available for HC7; however, it may be possible to extract the encryption key from the infected system's memory using a RAM capture utility, provided the system was not powered off or rebooted after infection. Victims who have successfully extracted the encryption key from memory can then use the HC6 decryption tool, available for download here, to decrypt their files. HC6 is a previous version of this ransomware variant that appends .fucku to the names of encrypted files.
Image Source: Bleeping Computer