Secles Ransomware: Removal Guide

Secles ransomware is malicious software designed to encrypt files on a victim’s system and demand ransom payments in exchange for decryption. It was discovered by cybersecurity researchers during routine inspections of new submissions to platforms like VirusTotal.

Secles ransomware; Extension: .secles (also appends filenames with victim's unique ID and developers' telegram contacts); Ransom notes: ReadMe.txthttps://t.co/Bh8i4VEIrk@LawrenceAbrams @demonslay335 @struppigel @JakubKroustek

— PCrisk (@pcrisk) January 29, 2024

Secles ransomware requires victims to communicate with the attackers via a specified Telegram bot or through a Tor website. Alternative communication methods are provided in case the primary contact information becomes inaccessible. Victims are typically required to pay a ransom to receive the decryption key.   

In this article, we explore everything known about the new strain.

WARNING: DO NOT PAY THE RANSOM! Getting the decryption key usually requires the direct involvement of cybercriminals and file recovery is not guaranteed even after paying the ransom.

Everything we know about Secles ransomware

Confirmed Name

• Secles Ransomware

Secles ransomware decryptor

•  No known decryptor is available. Contact ransomware removal experts to restore your machine access and recover encrypted files.

Threat Type

• Ransomware
• Crypto virus
• Files locker
• Data leak

Detection names

• Avast Win64:Malware-gen
• Emsisoft Trojan.GenericKD.71358850 (B)
• Kaspersky HEUR:Trojan-Ransom.Win32.Generic
• Malwarebytes Generic.Malware/Suspicious
• Microsoft Ransom:Win32/Filecoder.AC!MTB

Distribution methods

• Infected email attachments (macros)
• Malicious websites
• Malvertising
• Fake updates

Secles Ransomware methods of infection

Secles Ransomware uses deceptive distribution methods such as infected email attachments, malicious websites, malvertising, and fake updates to infect victims’ systems. Upon execution, it encrypts files and leaves a ransom note demanding payment for decryption.

Infected email attachments (Macros)

Macros are normally helpful shortcuts in programs like Microsoft Word or Excel, but hackers can sneak malicious code into them.

These emails often try to trick you into opening the attachment, unleashing the macro virus. Once activated, it can wreak havoc on your computer, steal data, or even spread to other machines.

Malicious websites

Malicious websites can be very convincing, as they often look like regular websites, but their goal is to harm your device or steal your information.

There are two main types:

• Phishing sites look like real websites you trust, such as your bank or social media. By mimicking the real site, they try to steal your logins, credit card details, and other sensitive information.
• Malware sites: These websites infect your device with malware to steal your information, damage your files, or even take control of your device.

Malvertising

Malvertising involves using online advertising to spread malware. Hackers sneak malicious code into seemingly normal ads that can appear on legitimate websites you trust.

Clicking or even just viewing the ad can infect your device with malware.

Fake updates

Fake updates pretend to be legitimate software updates but are actually traps set by hackers.

These fake updates can appear in a few ways:

• Pop-up windows: These windows suddenly appear on your screen, urging you to update your software immediately.
• Fake websites: You might land on a website that mimics a real software update page.
• Phishing emails: Emails that claim to be from a software company and tell you to update urgently.

Secles ransomware execution

Upon execution, Secles initiates the encryption process, targeting a wide range of file types on the victim’s system. These files are encrypted using cryptographic algorithms, rendering them inaccessible without the decryption key.

The ransomware appends a unique ID, the cybercriminals’ Telegram username, and the ‘.secles’ extension to the filenames of encrypted files. For example, a file named “1.jpg” would be transformed into “1.jpg.id[DYz8jzMo].[t.me_secles1bot].secles.”

Once the encryption process is complete, Secles generates and drops a ransom note named “ReadMe.txt” on the victim’s system. This note contains instructions for contacting the attackers to initiate the decryption process.

Secles ransomware Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used to detect future attack attempts early using intrusion detection systems and antivirus software.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

Secles ransomware-specific IOCs

Secles ransomware IOCs include the encryption .secles file extension and the ReadMe.txt ransom note.

Encrypted files are also appended with a unique ID and the cybercriminals’ Telegram username.

Secles ransom note

The ransom note instructs victims to install Telegram messenger and communicate with the attackers via the specified bot username. It also warns against deleting files, playing with encrypted files, involving middlemen, seeking help from law enforcement, and explains the file encryption process. 

It’s crucial that victims do not respond to attackers’ demands. After a ransomware attack, contact law enforcement and a ransomware removal service immediately.

Here’s the content of the Secles ransom note:

How to handle a Secles ransomware attack

The first step to recovering from a Secles ransomware attack is to contact professionals. It’s best to leave every infected machine the way it is and ask for an emergency ransomware removal service. These professionals are equipped to quickly mitigate the damage, gather evidence, potentially reverse the encryption, and restore the system.

Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware and keep all evidence of the attack. Digital forensics experts must trace back to the hacker group and identify them. Authorities can investigate the attack by using data from your infected system. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

Then, you must contact local authorities. In the case of US residents and businesses, they are the FBI and the Internet Crime Complaint Centre (IC3).

To report a malware attack, you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with structured expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step of the ransomware recovery process. 

2. Use a backup to restore the data

The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.

Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from various threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.

Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.

3. Contact a malware recovery service

Contact a data recovery service if you don’t have a backup or need help removing the malware and eliminating vulnerabilities. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way to restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Secles ransomware from attacking your network again. Contact our recovery experts 24/7.

Prevent the Secles ransomware attack

Preventing malware is the best solution for data security. It is easier and cheaper than recovering from it. Secles ransomware can cost your business its future and even close its doors.

These are a few tips to ensure you can avoid malware attacks:

• Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
• Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
• Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
• Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
• Use a firewall to block unauthorized access to your network and systems.
• Network segmentation to divide a larger network into smaller sub-networks with limited interconnectivity between them. It restricts attacker lateral movement and prevents unauthorized users from accessing the organization’s intellectual property and data.
• Limit user privileges to prevent attackers from accessing sensitive data and systems.
• Educate employees and staff on recognizing and avoiding phishing emails and other social engineering attacks.