A new strain of EDA2 has been found to be targeting victims in Russia. Thanks to @MalwareHunterTeam for assistance with analyzing this one.
Files are encrypted with AES-256, and have the extension ".locked" added to the file name.
The victim's background is set to the following image with instructions for reading the ransom note.
The file "README.html" contains the ransom note, and is displayed below.
The XXX part contains a unique identifier for the victim.
The following extensions are targeted.
.pdf, .psd, .txt, .rtf, .odt, .doc, .docx, .docm, .djvu, .djv, .rb, .epub, .html, .htm, .asp, .aspx, .php, .phtml, .xls, .xlsx, .xlsm, .csv, .ods, .asm, .c, .h, .cpp, .cxx, .h, ,hpp, .pas, .dpr, .bas, .bbc, .java, .js, .cs, .resx, .ml, .pl, .pm, .php3, .py, .rb, .rbw, .sd7
If you or someone you know has been affected by this ransomware, do not pay the ransom. We may be able to assist in decrypting files for a majority of victims.
Edited by Demonslay335, 06 June 2016 - 01:54 PM.