I have my files encrypted since yesterday, with the .encrypt extension and the README_FOR_DECRYPT.txt in each folders, it encrypts only documents and images files (no video or uncommon file extensions). The ransom note does not contain the key at the end, just this :
----
All your data has been locked(crypted).
How to unlock(decrypt) instruction located in this TOR website: http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion/order/1L1WwajFy1MCSzvPzbi5YabcVWsi7JGwhf
Use TOR browser for access .onion websites.
https://duckduckgo.com/html?q=tor+browser+how+to
----
I isolated the binaries responsible for this (crp_linux_386 and crp_linux_arm), and there is a log file (screenlog.0) that lists the operation of the ransom ware :
----
share/MD0_DATA/Web/crp_linux_arm: /share/MD0_DATA/Web/crp_linux_arm: cannot execute binary file
Init...
BTC addr: 1L1WwajFy1MCSzvPzbi5YabcVWsi7JGwhf
open /share/MD0_DATA/.@centerim/README_FOR_DECRYPT.txt: permission denied
open /share/MD0_DATA/.@mysql/mysql: permission denied
open /share/MD0_DATA/.@mysql/test: permission denied
open /share/MD0_DATA/.@qmonitor: permission denied
...
Encrypt file: /share/MD0_DATA/.@twonkymedia.db/twonkymedia/db/0.tms.dat
(0x831e7d0,0xa099960)
open /share/MD0_DATA/.@twonkymedia.db/twonkymedia/db/0.tms.dat.encrypt: permission denied
Encrypt file: /share/MD0_DATA/.@twonkymedia.db/twonkymedia/db/1.tms.dat
(0x831e7d0,0xa099980)
...
Encrypt file: /share/MD0_DATA/corpo.html
Encrypt file: /share/MD0_DATA/enviar.pl
Encrypt file: /share/MD0_DATA/ftp.txt
...
open /share/MD0_DATA/lost+found: permission denied
Encrypt file: /share/MD0_DATA/pass.txt
Encrypt file: /share/MD0_DATA/user.txt
Done!
----
Do you know which variant is it ? Or is it a variant or muhstik ?
Thanks