{ "id": "0348d8c3-3e1a-46ba-953d-016a7171dfab", "created_at": "2026-04-06T01:29:13.654152Z", "updated_at": "2026-04-10T13:11:47.197724Z", "deleted_at": null, "sha1_hash": "b345172992d1af53e23680a15119778489ecde3f", "title": "Vipasana ransomware new ransom on the block", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 170976, "plain_text": "Vipasana ransomware new ransom on the block\r\nArchived: 2026-04-06 00:22:24 UTC\r\nYet another ransomware is going around (since at least the 20th of December), which I've dubbed Vipasana\r\nransomware due to where you need to send your encrypted files to:\r\nMessage in Russian, you need to mail vipasana4@aol.com to get your files back\r\nThe name may be derived from Vipassanā or 'insight meditation'.\r\nThe message in Russian reads:\r\nтвои файлы зашифрованы, если хочешь\r\nвсе вернуть, отправь 1 зашифрованный файл на эту почту:\r\nvipasana4@aol.com\r\nВНИМАНИЕ!!! у вас есть 1 неделя что-бы написать мне на почту, по прошествии\r\nэтого срока расшифровка станет не возможна!!!!\r\nTranslated:\r\nYour files are encrypted, if you want them all returned,\r\nsend 1 encrypted file to this email:\r\nvipasana4@aol.com\r\nhttps://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html\r\nPage 1 of 3\n\nATTENTION!!! you have 1 week to send the email, after\r\nthis deadline decryption will not be possible !!!!\r\nIt seems these ransomware authors first want you to send an email before requiring any other action, rather than\r\nimmediately (or in a certain timeframe) paying Bitcoins to get your files back. In this sense, their technique is\r\nnovel. Instead of the usual 24/48/72h to pay up, they give you a week.\r\nDo not be fooled: this does not make them 'good guys' in any way, they encrypted your files and as such are\r\ncriminals.\r\nSearch results for vipasana4@aol.com are non-existent, with the exception of one victim hit by this ransomware:\r\nEmail addresses used in this specific ransomware campaign:\r\njohnmen.24@aol.com\r\nvipasana4@aol.com\r\nFiles will be encrypted and renamed following below naming convention:\r\nemail-vipasana4@aol.com.ver-CL 1.2.0.0.id-[ID]-[DATE-TIME].randomname-[RANDOM].[XYZ].CBF\r\nWhere [XYZ] is also a random 'extension', the real extension is .cbf\r\nver-CL 1.2.0.0 may refer to the version number of the ransomware, indicating there are older versions as well.\r\nTargeted file extensions:\r\n.r3d, .rwl, .rx2, .p12, .sbs, .sldasm, .wps, .sldprt, .odc, .odb, .old, .nbd, .nx1, .nrw, .orf, .ppt, .mov, .mpeg,\r\n.csv, .mdb, .cer, .arj, .ods, .mkv, .avi, .odt, .pdf, .docx, .gzip, .m2v, .cpt, .raw, .cdr, .cdx, .1cd, .3gp, .7z,\r\n.rar, .db3, .zip, .xlsx, .xls, .rtf, .doc, .jpeg, .jpg, .psd, .zip, .ert, .bak, .xml, .cf, .mdf, .fil, .spr, .accdb, .abf,\r\n.a3d, .asm, .fbx, .fbw, .fbk, .fdb, .fbf, .max, .m3d, .dbf, .ldf, .keystore, .iv2i, .gbk, .gho, .sn1, .sna, .spf,\r\n.sr2, .srf, .srw, .tis, .tbl, .x3f, .ods, .pef, .pptm, .txt, .pst, .ptx, .pz3, .mp3, .odp, .qic, .wps\r\nI have sent over all necessary files to the good people over at Bleeping Computer, as there may be a way to\r\nrecover files. If so, I will update this post.\r\nhttps://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html\r\nPage 2 of 3\n\nUpdate - 12/02: thanks to a tweet from Catalin this appears to be another version of so called \"offline\"\r\nransomware, discovered by Check Point:\r\n“Offline” Ransomware Encrypts Your Data without C\u0026C Communication\r\nNote this is in fact a Cryakl variant.\r\nUnfortunately, there doesn't appear to be a way to recover your files once encrypted. Your best best in trying to\r\nrecover files is using a tool like Shadow Explorer, which will check if you can restore files using 'shadow copies'\r\nor 'shadow volume copies'.\r\nIf that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva\r\nConclusion\r\nRansomware is, unfortunately, long from gone. Almost each week or month, new variants or totally new strains of\r\nransomware are popping up. In this way, the first and foremost rule is:\r\nCreate (regular) backups!\r\nFor more prevention advise, see here. \r\nYou may also find a list of Indicators of Compromise (IOCs; hashes, domains, ...) over at AlienVault:\r\nVipasana ransomware\r\nSource: https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html\r\nhttps://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html\r\nPage 3 of 3\n\nver-CL 1.2.0.0 may Targeted file extensions: refer to the version number of the ransomware, indicating there are older versions as well.\n.r3d, .rwl, .rx2, .p12, .sbs, .sldasm, .wps, .sldprt, .odc, .odb, .old, .nbd, .nx1, .nrw, .orf, .ppt, .mov, .mpeg,\n.csv, .mdb, .cer, .arj, .ods, .mkv, .avi, .odt, .pdf, .docx, .gzip, .m2v, .cpt, .raw, .cdr, .cdx, .1cd, .3gp, .7z,\n.rar, .db3, .zip, .xlsx, .xls, .rtf, .doc, .jpeg, .jpg, .psd, .zip, .ert, .bak, .xml, .cf, .mdf, .fil, .spr, .accdb, .abf,\n.a3d, .asm, .fbx, .fbw, .fbk, .fdb, .fbf, .max, .m3d, .dbf, .ldf, .keystore, .iv2i, .gbk, .gho, .sn1, .sna, .spf,\n.sr2, .srf, .srw, .tis, .tbl, .x3f, .ods, .pef, .pptm, .txt, .pst, .ptx, .pz3, .mp3, .odp, .qic, .wps \nI have sent over all necessary files to the good people over at Bleeping Computer, as there may be a way to\nrecover files. If so, I will update this post. \n Page 2 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html" ], "report_names": [ "vipasana-ransomware-new-ransom-on-block.html" ], "threat_actors": [], "ts_created_at": 1775438953, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b345172992d1af53e23680a15119778489ecde3f.pdf", "text": "https://archive.orkl.eu/b345172992d1af53e23680a15119778489ecde3f.txt", "img": "https://archive.orkl.eu/b345172992d1af53e23680a15119778489ecde3f.jpg" } }