Both ransom note variants will direct users to a TOR site that contains information about what happened to a victim’s files and an email address to contact for payment instructions. The current email address being used on the TOR site is [email protected]
If a victim pays the ransom, they will allegedly be sent their AES decryption key and the ‘Kupidon Virus Decryptor,’ shown below.
Using this decryptor, victims can potentially recover their files, but BleepingComputer has not confirmed this.
Unfortunately, we have not been able to find a sample of the Kupidon Ransomware, so there is no way to analyze it for weaknesses.
Eventually, a sample will be discovered, and if a weakness can be found, we will be sure to let everyone know.
Ransom note text:
All your files have been encrypted with Kupidon Virus.
Your unique id: xxxx
As a private person you can buy decryption for 300$ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
To do this:
1) Download and install Tor Browser ( https://www.torproject.org/download/ )
2) Open the http://oc3g3q5tznpubyasjgliqyykhxdfaqge4vciegjaapjchwtgz4apt6qd.onion/ web page in the Tor Browser and follow the instructions.