A security researcher named Michael Gillespie discovered a new variant of GarrantyDecrypt that pretends to be the security team for Proton technologies. GarrantyDecrypt ransomware was first identified in October 2018 by Michael Gillespie.
What is the issue - Gillespie noted that the attackers behind the GarrantyDecrypt ransomware attempted a new tactic of pretending to be the security team for Proton technologies, which is the company behind ProtonMail and ProtonVPN.
“#Ransomware Hunt: no encrypted file submitted, but ransom note "SECURITY-ISSUE-INFO.txt" pretending to be security team from @ProtonMail lol. Note: (link: https://pastebin.com/ditRd4dr) pastebin.com/ditRd4dr,” Gillespie tweeted.
The ransom note pretending to be from Proton security team claims that the victim’s server has been attacked by an outsider and demands a service fee for decrypting the files.
The security researcher spotted a ransom note named ‘SECURITY-ISSUE-INFO.txt’ in which, the attackers stated that the server was attacked by an ‘outsider’ and Proton's SECURE-SERVER service encrypted the data in order to protect it during the attack.
The ransom note also states that Proton's SECURE-SERVER service charges a fee of $780 for decrypting the files. To add legitimacy to the ransom note, the attackers have also added the ‘PROTON SECURE-SERVER SYSTEMS (c) 2019’ copyright statement at the bottom of the ransom note.
The bottom line - If you have received any such email from Proton, then remember that it is not from Proton and you are a victim of the GarrantyDecrypt ransomware.
How to stay protected from ransomware attacks?