Shifr is written in the Go programming language, targets Windows OS and is offered through a Ransomware-as-a-Service (RaaS) portal on the dark web. Shifr is a prime example of how RaaS is lowering the barrier to entry for unsophisticated attackers as it only requires the user to enter a Bitcoin wallet address and the requested ransom amount, and then complete a CAPTCHA to receive the ransomware executable. The owner of the portal does not charge to use the service but reportedly takes a 10 percent cut of any ransom paid, allowing the distributor to collect 90 percent from victims. Once executed, Shifr targets specific file types, appends .shifr to the names of encrypted files, and drops a ransom note named HOW_TO_DECRYPT_FILES.html.

2/20/2018: A new variant appends .cypher to the names of encrypted files and creates a ransom note named How_To_Decrypt_Files.html.

  • Bleeping Computer provides more information about Shifr here.
  • The NJCCIC is not currently aware of any free decryption tools available for Shifr.


Image Source: Bleeping Computer