VERY IMPORTANT

In January, Trend Micro encountered a new ransomware using .hello as its extension in one of the cases that possibly arrived via a SharePoint server vulnerability. This appeared to be a new ransomware family dubbed as the Hello ransomware (aka WickrMe), named after the chat application that was used to contact the cybercriminals responsible. Previous variants were observed using .hemming and .strike extensions and did not include the cybercriminals’ WickrMe user handles. In contrast, newer versions of the ransom notes with .hello extensions now have the WickrMe contact information.