A new ransomware was reported by @JaromirHorejsi that encrypts a victim's files and sets the background to a ransom note in Russian with the filename "w.jpg" that asks to contact the criminals at email@example.com.
A random extension is selected from an array to append to files, with the pattern .31392E30362E32303136_(0-20)_LSBJ1: for example, ".31392E30362E32303136_14_LSBJ1".
Other variants seem to exist as well, with different numbers at the beginning, and different letters at the end, suggesting that this ransomware may be sold as a kit. Other extensions spotted include .31392E30362E32303136_(0-20)_ZHM1 and .31342E30362E32303136_(0-20)_KTR1.
The following extensions are targeted:
.cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .bmp, .png, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .odb, .odg,
Shadow copies are deleted using the following command.
vssadmin.exe Delete Shadows /All /Quiet
Unfortunately, the claim in the ransom note about the use of RSA-2048 is true. The malware has 20 embedded RSA keys, and encrypts the victim's data with one of the keys chosen at random, in chunks of 245 bytes. There is currently no way to decrypt data for free due to the use of this asymmetric encryption. I do recommend trying undelete programs such as Recuva, as the malware does not securely delete files.
Edited by Demonslay335, 20 June 2016 - 01:13 PM.