All files will be encrypted with AES-256, and the extension ".lock" added. The ransom note "MENSAGEM.txt" will be saved to the desktop, with the following contents.
TODOS OS SEUS ARQUIVOS FORAM BLOQUEADOS ! PARA DESBLOQUEAR SUAS INFORMAÇÕES, ACESSE O LINK: http://is.gd/comunicado1 ou http://is.gd/comunicado2 ou http://is.gd/comunicado3Translated by Google Translate:
ALL YOUR FILES WERE LOCKED! TO UNLOCK YOUR INFORMATION, VISIT THE LINK: http://is.gd/comunicado1 or http://is.gd/comunicado2 or http://is.gd/comunicado3The links simply go to Pastebin pages with instructions for purchasing Bitcoin and contacting the author. At this time, the Bitcoin wallet thankfully shows no transactions by victims.
The victim's background will be changed to the following image on Imgurl.
The following file types are targeted.
.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xmlAt this time, it is possible to decrypt files by this ransomware. It may be possible the key is still left on the system in "C:\Users\Username\win.txt" or "text.txt" if found in the same directory as the malicious executable.
Otherwise, if you have been affected by this ransomware, you may try my HiddenTear Bruteforcer to obtain your key, and the HiddenTear Decrypter to then decrypt files. Feel free to post here for assistance if needed with running these tools.
Edited by Grinler, 28 July 2016 - 10:00 AM.