A "new" ransomware has been stumbled upon by xXToffeeXx and Fabian Wosar, dubbed GhostCrypt. It also appears this was discovered by malware analyst JaromirHorejsi in February. This is another variant of the famed HiddenTear project.
The ransom note presented to victims masquerades as CryptoLocker, with the following message in READ_THIS_FILE.txt on the user's desktop.
Files have been encrypted by CryptoLocker.
In order to get hands on your files again and decrypt them you must pay 2 BTC (Bitcoin).
You must complete the following steps:
1. Android users must download the application called Bitcoin Wallet. iOS users must download the application called Copay.
2. After you register and receive a Bitcoin account you must buy 2 BTC (BitCoins) in order to load your account.
3. You must than send the BitCoins bought to one of the following accounts.
Once we will receive the payment the decryption key will be issued to you and your files will be decrypted.
For more information please visit: https://goo.gl/wDhp4J
All attached drive letters are traversed. The following extensions are encrypted with AES-256, and have the extension ".Z81928819" appended to them.
.asp, .aspx, .avi, .bk, .bmp, .css, .csv, .divx, .doc, .docx, .eml, .htm, .html, .index, .jpeg, .jpg, .lnk, .mdb, .mkv, .mov, .mp3, .mp4, .mpeg, .msg, .odt, .ogg .pdf, .php, .png, .ppt, .pptx, .psd, .rar, .sln, .sql, .txt, .wav, .wma, .wmv, .xls, .xlsx, .xml, .zip
If you or someone you know has been affected by this ransomware, please post here, and do not pay the ransom.
Decrypter available here:
Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.
Edited by Demonslay335, 17 January 2017 - 06:48 PM.