New OPIX Ransomware Encrypting Files With Random Character String

A recently identified ransomware variant dubbed OPIX encrypts user files using a random character string and adds the “.OPIX” extension to them. 

The ransomware will drop a notice on victims’ screens telling them to get in touch with the attackers via the specified email address or Telegram handle within 48 hours, failing which their stolen data would be sold to competitors and made public on the dark web.

EHA

The OPIX ransomware variant is commonly disseminated using social engineering techniques including drive-by downloads and phishing emails. 

This software is typically presented as or combined with legitimate/normal content.

Files that are malicious may be executables (.exe,.run, etc.), documents (Microsoft Office, Microsoft OneNote, PDF, etc.), archives (RAR, ZIP, etc.), JavaScript, and more.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Working Of The New OPIX Ransomware 

According to Symantec, the malware now encrypts user files with a random character string and appends the “.OPIX” extension.

One such file that is transformed from “test.txt” to “B532D3Q9.OPIX” is one example. 

Victims will get a ransom note, commonly named “#OPIX-Help.txt”, telling them to contact the attackers via the specified email or Telegram handle within 48 hours, or their stolen data would be sold to competitors and broadcast on the dark web.

Sample Screenshot of OPIX ransomware’s text file (“#OPIX-Help.txt”)

In this case, decryption is typically unfeasible in the absence of attacker intervention. Despite this, cybercriminals frequently fail to deliver the claimed decryption key or software, paying the ransom does not ensure that the files will be recovered. 

Never forget that giving money for criminal activity is what keeps them doing what they do.

To protect your files, it is therefore strongly advised that you maintain backups in several different places (such as remote servers, unplugged storage devices, etc.).

When receiving emails or messages, proceed with caution. Links or attachments included in questionable or irrelevant emails should not be clicked because they may be dangerous.

Indications Of The Threat

The following are the indicators that Symantec has detected and removed this threat.

Adaptive-Based: 

ACM.Untrst-FlPst!g1
ACM.Untrst-RunSys!g1

Behavior-Based

SONAR.SuspBeh!gen16
SONAR.SuspLaunch!g18 
SONAR.SuspLaunch!g250 
SONAR.SuspLaunch!g340 
SONAR.SuspLaunch!gen4 

File-Based:

Trojan Horse
Trojan.Gen.MBT
WS.Malware.1

Machine Learning-Based:

Heur.AdvML.A!300
Heur.AdvML.B
Heur.AdvML.B!100
Heur.AdvML.B!200

Carbon Black-Based:

Existing policies in VMware Carbon Black products detect and block associated harmful signs. 

To maximize the benefits of VMware Carbon Black Cloud reputation service, it is recommended to stop all known, suspect, and PUP malware from running and to delay the execution of cloud scans.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.