This ransomware encrypts files using AES, and appends the extension ".crypt38". The victim is left with a screen locker that demands a payment of 1000 Rubles, or ~$15 USD. The victim is asked to email a code to email@example.com.
Below is an image of this ransom screen, which is completely in Russian.
The ransomware will manually enumerate over drive letters in the following order. It is rather slow at encrypting and decrypting the system partly due to this.
C:\, D:\, E:\, Z:\, Y:\, X:\, W:\, V:\, F:\, G:\, H:\, I:\, J:\, K:\, U:\, T:\, S:\, R:\, Q:\, L:\, M:\, N:\, O:\, P:\, A:\, B:\
The following file extensions are targeted.
.txt, .pdf, .html, .rtf, .dwg, .cdw, .max, .psd, .3dm, .3ds, .dxf, .ps, .ai, .svg, .indd, .cpp, .pas, .php, .cs, .py, .java, .class, .fla, .pl, .sh, .jpg, .jpeg, .jps, .bmp, .tiff, .avi, .mov, .mp4, .amr, .aac, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .accdb, .odt, .odp, .odx, .ibooks, .xlp, .db, .dbf, .mdf, .sdf, .mdb, .sql, .rar, .7z, .zip, .vcf, .cer, .csr, .torrent, .otl, .report, .key, .csv, .xml
Paths with the following terms are skipped.
Windows, msocache, Program Files, Program Files (x86)
The good news is that victims of this ransomware can recover their files. If the program is still running, you may use my keygen to generate the unlock code. It will search for the request.bin the ransomware uses to store the victim ID; if it is not present, you may manually enter the victim ID. Once the code is generated, simply enter it into the malware to start decrypting the files.
I highly recommend backing up your .crypt38 files before letting it decrypt; in one instance of my testing, the decryption did fail (despite accepting and acknowledging the correct key) and corrupted files.
The keygen may be downloaded here: http://www.bleepingcomputer.com/download/crypt38decrypter/
If anyone has been hit by this ransomware, and has closed/deleted the malware, decryption is still possible. Simply backup the .crypt38 files and the %APPDATA%\request.bin file, and post here; I can write a proper decrypter if it is needed.
Edited by Grinler, 28 July 2016 - 09:56 AM.