Kupidon is the latest ransomware targeting your data

June 6, 2020


The latest ransomware that everyone needs to watch out for is called Kupidon, and it targets not only corporate networks, but also home user's personal data.

First spotted by MalwareHunterTeam on May 9th after being uploaded to ID-Ransomware, it quickly increased distribution, and victims started streaming into the ransomware identification site.

Submissions stats on ID-Ransomware for Kupidon
Submissions stats on ID-Ransomware for Kupidon

A sample of the ransomware has not been discovered at this time, but based on conversations with victims and uploaded files, we can provide general information.

This ransomware is targeting both personal users and businesses, most likely through exposed remote desktop servers.

Once the threat actors gain access, they manually encrypt the files on the victim's computers. When encrypting data, it will append the .kupidon extension to the file's name.

For example, as shown below, a file named 'JM tag.jpg' will be encrypted and renamed to 'JM tag.jpg.kupidon.'

In each folder that a file is encrypted, the ransomware will also create a ransom note named '!KUPIDON_DECRYPT.TXT.' 

Depending on whether the victim is a business or an individual, the ransom notes dropped will be slightly different and contain different ransom demands.

For example, below is a ransom note for a corporate victim, and it has a ransom demand of $1,200 in bitcoins and identifies the victim as a "commercial person."

Commercial Kupidon ransom note
Commercial Kupidon ransom note

A home user, though, will have a ransom amount of $300 and indicate in the ransom note that the victim is a "private person."

Kupidon ransom note
Kupidon ransom note

While these ransom amounts are not as high as other ransomware families, they can still be too much for many people to pay.

Both ransom note variants will direct users to a TOR site that contains information about what happened to a victim's files and an email address to contact for payment instructions. The current email address being used on the TOR site is ann4.orlova.892@yandex.ru.

Kupidon tor site
Kupidon TOR site

If a victim pays the ransom, they will allegedly be sent their AES decryption key and the  'Kupidon Virus Decryptor,' shown below.

Kupidon decryptor
Kupidon decryptor

Using this decryptor, victims can potentially recover their files, but BleepingComputer has not confirmed this.

Unfortunately, we have not been able to find a sample of the Kupidon Ransomware, so there is no way to analyze it for weaknesses.

Eventually,  a sample will be discovered, and if a weakness can be found, we will be sure to let everyone know.


Associated files:


Ransom note text:

All your files have been encrypted with Kupidon Virus.
Your unique id: xxxx As a private person you can buy decryption for 300$ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files. To do this:
1) Download and install Tor Browser ( https://www.torproject.org/download/ )
2) Open the http://oc3g3q5tznpubyasjgliqyykhxdfaqge4vciegjaapjchwtgz4apt6qd.onion/ web page in the Tor Browser and follow the instructions.

Associated emails:


Read the original article and additional information at Cyware Social