A new ransomware based on HiddenTear was found that encrypts files with AES-256 and appends ".8lock8" to encrypted files, e.g. "file.jpg.8lock8".
Thanks to @DanielGallagher for acquiring a sample for analysis.
The file "READ_IT.txt" is added to the desktop, and the root of every drive that was hit. All drive letters are traversed for encrypting files.
Files have been encrypted!Файлы были зашифрованы It uses cryptographically strong algorithm!Используется криптостойкий алгоритм contact by e-mail: email@example.com or firstname.lastname@example.org to identify , use lower hash!для идентификации используйте нижний хэш [random hash]
Targeted file types are as follows.
.asp, .aspx, .avi, .bmp, .csv, .doc, .docx, .htm, .html, .jpg, .mdb, .odt, .pdf, .php, .png, .ppt, .pptx, .rar, .sln, .sql, .txt, .wav, .xls, .xlsx, .xml, .zip,
Analysis is still under way, more details will be released at a later time.
This ransomware is decryptable.
To decrypt, you must first acquire the key using my HiddenTear Bruteforcer. This requires an encrypted PNG file (*.png.8lock8); the smaller the file, the better. Load the encrypted PNG file, and select "EightLockEight" mode at the bottom. Then, press "Start Bruteforce".
Once a key is found, click on the "Click here to check file for success" message to preview the decrypted file. If the file looks OK, then you have the correct key!
Once you have the key, copy the key and paste it into my HiddenTear Decrypter, and type the extension of the files (".8lock8"). Select a folder to decrypt, and click "Decrypt My Files".
Also as a note, if the hash (last line of random letters) in your ransom note ends with "AH33", you can actually skip the use of the bruteforcer and use the password "Whendiplomacyends,Warbegins.1933". This happens if the malware failed to reach the CC server.
If you have any problems with these steps, let me know!
Edited by Demonslay335, 14 May 2016 - 11:14 AM.