New Ransomware .qPUvslnc Targets Proton and Shinra
▼ Summary
– The sender claims to have encrypted the victim’s files using military-grade encryption and holds the only private key for decryption.
– They offer proof of capability by decrypting a few small, non-critical files sent by the victim within an hour.
– A time-sensitive discount of up to 50% is offered if contacted within 48 hours, with a threat to leak data samples after 72 hours.
– The message warns against using data recovery services or third-party tools, claiming this risks permanent data corruption.
– Payment is promised to result in full file decryption and the deletion of the victim’s exfiltrated data from the sender’s servers.
A new and particularly insidious strain of ransomware, identified as .qPUvslnc, is actively targeting users of Proton and Shinra services. This malware employs a sophisticated social engineering approach, presenting its demands in a deceptively professional and almost helpful tone to pressure victims into paying. The attack begins with a message informing the administrator that network vulnerabilities have been exploited, resulting in files being locked with military-grade encryption.
The ransom note outlines a series of services the attackers purportedly provide. These include a customized decryption tool, a proof-of-concept decryption of small files, and a detailed report on the security flaws they exploited. To further incentivize payment, the criminals promise the complete deletion of exfiltrated data from their servers, claiming to value privacy. Each victim is assigned a unique identifier, which must be included in all communications to the attackers’ provided Gmail addresses.
A critical element of their pressure strategy is a time-sensitive discount. Victims who initiate contact within 48 hours are offered a reduction of up to fifty percent. The threat escalates after 72 hours, with the group warning they may begin a gradual data leak to demonstrate their seriousness, though they claim to prefer a cooperative resolution. The note is laced with warnings against attempting independent recovery, stating that such efforts risk permanent data corruption. It also discourages contacting third-party recovery firms, asserting that these companies ultimately cannot decrypt the files and will only negotiate with the attackers on the victim’s behalf, thereby increasing delays and costs.
The message concludes by reiterating that payment guarantees full decryption and an end to the incident, framing the entire extortion as a business transaction to be resolved efficiently. This polished and manipulative communication style is a hallmark of advanced ransomware operations seeking to maximize their payout rate by appearing reasonable while simultaneously applying significant psychological and operational pressure.
(Source: BleepingComputer)
