Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anyone run into megacode ransom? Like cryptolocker but not as well done


  • Please log in to reply
17 replies to this topic

#1 jwhitted24

jwhitted24

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR USA
  • Local time:07:40 PM

Posted 16 March 2015 - 11:43 AM

Hi,

 

A customer that I am working with has been hit with this and it has encrypted their files.  It does not have the sophistication of cryptolocker and the like.  It seems to encrypt files and just has a text file stating to contact them at megacode@alphamail10.com.  Send the text file, that looks to have a key at the bottom, and a small file for a test.

 

Of course they don't have a good backup.  Anything they can do besides contacting them and paying?

 

Thanks!

 

James 



BC AdBot (Login to Remove)

 


#2 Wakeupneo

Wakeupneo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 16 March 2015 - 12:31 PM

I also have run into this.  It's fairly new from what I can see on the web. 



#3 DrIT

DrIT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 16 March 2015 - 12:39 PM

We experienced this today. We restored from a snapshot and moved forward.

 

Does anyone have more information on the impacts and/or origin of the program?



#4 mikewidel

mikewidel

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 16 March 2015 - 02:11 PM

Just ran into this today with one of my clients. This is the nastiest Crypto-like virus I have seen to date. 



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 16 March 2015 - 02:50 PM

Can you submit a copy of the encrypted files and the text file ransom note to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Thanks

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 16 March 2015 - 02:53 PM

Also if you have a copy of an original encrypted doc and its encrypted version, upload them both please.

Thanks

#7 aallen90

aallen90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 17 March 2015 - 11:01 AM

My company paid the ransom and got a decryptor. I have uploaded the decryptor, and the key (with note) that they needed to personalize the decryptor executable.



#8 jwhitted24

jwhitted24
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR USA
  • Local time:07:40 PM

Posted 18 March 2015 - 09:26 AM

Posting the files that I have of theirs.

 

The company is looking at paying the ransom it sounds like.



#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 18 March 2015 - 09:37 AM

Any idea how your computers/clients were infected? SPAM?

#10 aallen90

aallen90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 18 March 2015 - 10:08 AM

Any idea how your computers/clients were infected? SPAM?

I'm not sure. I think that it has been dormant for a long time. I recall seeing a bunch of "HOW TO DECRYPT FILES.txt" files around the server last summer, but assumed it was leftover from a previous cryptolocker infection. It's likely that a user was infected, and had access to shared drives, so it covered most of the Terminal server and file servers. MSE was installed, but said everything is ok. MB also came up empty.



#11 Wakeupneo

Wakeupneo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:40 PM

Posted 18 March 2015 - 11:06 AM

We also paid the ransom, but it doesn't look like it actually will decrypt ALL of the files, but a good majority of them.  I belive this virus can lay dormant before attacking.  It's very nasty and spreads incredibly fast.  If you are infected turn off your backup so your good copies of your files are not overwritten.  Between our backups onsite and off, we were able to get most of the data back.  It will encrypt OS and program if left alone long enough so it can actually render some computers useless. 



#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 18 March 2015 - 11:25 AM

Anyone who has this fine the installer or malware associated?

#13 jwhitted24

jwhitted24
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR USA
  • Local time:07:40 PM

Posted 18 March 2015 - 12:21 PM

Just called the company that I am working with that has this infection.

 

They don't know where it came from.  Really low end users.

 

The one contact that I have to remote into the system is not in today so can't dig around on the computer to find files.  If we find anything I will be sure to post it.



#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:40 PM

Posted 18 March 2015 - 06:06 PM

Btw, for whoever sent in the samples, do you have any doc files or pictures instead of a txt file?

Thanks

#15 jwhitted24

jwhitted24
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR USA
  • Local time:07:40 PM

Posted 19 March 2015 - 12:09 AM

I'll see what else I can get from them.  I'll talk to them Thursday around 10am Pacific and see if I can pull down a few more files.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users