Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Russian EDA2 (.locked) - README.html


  • Please log in to reply
3 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:25 PM

Posted 06 June 2016 - 01:49 PM

A new strain of EDA2 has been found to be targeting victims in Russia. Thanks to @MalwareHunterTeam for assistance with analyzing this one.
 
Files are encrypted with AES-256, and have the extension ".locked" added to the file name.
 
The victim's background is set to the following image with instructions for reading the ransom note.
 
tsqMIVH.png
 
The file "README.html" contains the ransom note, and is displayed below.
 
Im4nKKD.png
 
The XXX part contains a unique identifier for the victim.
 
The following extensions are targeted.
 

 

 

.pdf, .psd, .txt, .rtf, .odt, .doc, .docx, .docm, .djvu, .djv, .rb, .epub, .html, .htm, .asp, .aspx, .php, .phtml, .xls, .xlsx, .xlsm, .csv, .ods, .asm, .c, .h, .cpp, .cxx, .h, ,hpp, .pas, .dpr, .bas, .bbc, .java, .js, .cs, .resx, .ml, .pl, .pm, .php3, .py, .rb, .rbw, .sd7

 
If you or someone you know has been affected by this ransomware, do not pay the ransom. We may be able to assist in decrypting files for a majority of victims.


Edited by Demonslay335, 06 June 2016 - 01:54 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:25 AM

Posted 06 June 2016 - 02:32 PM

Demonslay335

Affected by the virus do not know yet, but the description in Russian is already compiled.

We can only wait.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:25 PM

Posted 06 June 2016 - 02:51 PM

Thanks for the blog post. According to MalwareHunterTeam, we believe this variant has actually be up for several months (potentially 7 months according to the web panel). Only just now heard of it and got a sample, which was submitted today. They could be re-compiling it for a new wave I would guess.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:25 AM

Posted 06 June 2016 - 03:00 PM

I agree. It is important to be aware of the threat, which can always be modified, transformed, and be angrier previous version.


Edited by Amigo-A, 06 June 2016 - 03:02 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users