Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VenusLocker Ransomware Help & Support (.Venusf + ReadMe.txt)


  • Please log in to reply
2 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 02 August 2016 - 09:35 AM

Another EDA2-based ransomware is on the loose, calling itself VenusLocker. This ransomware will encrypt files with AES-256 and append ".Venusf" to filenames. The AES key is generated with a cryptographically-strong random generator, and encrypted with an embedded RSA-2048 public key before being sent to the criminal's server.

 

The following screen is shown to the victim.

 

venus-locker.jpg

 

The wallpaper is attempted to be set to this image: http://i.imgur.com/Jk67LrS.jpg

 

The ransom note asks to email the criminals at VenusLocker@mail2tor.com with the following ReadMe.txt ransom note.

 

 

---------------------------------------- Venus Locker ------------------------------------
 
Unfortunately, you are hacked.
 
1. What happened to my files?
 
Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted
with RSA-4096, a strong encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The
public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files.
Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without
your private key.
 
For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
2. How to decrypt my files?
 
To decrypt and recover your files, you have to pay 100 US Dollars for the private key and decryption service. Please note that
you have ONLY 72 HOURS to complete your payment. If your peyment do not be completed within time limit, your private key will be
deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is 
advised that you'd better not waste your time, because there is no other way to recover your files except making a payment.
 
3. How to pay for my private key?
 
There are three steps to make a payment and recover your files: 
 
1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange 100 US dollars
(or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about 0.15 BTC) to the following address.
 
1Dj9YnMiciNgaKuyzKynygu7nB21tvV6QD
 
2). Send your personal ID to our official email: VenusLocker@mail2tor.com
 
Your personal ID is cc673bcfcf644d2c1a88893cb0ff8fa7
 
3). You will receive a decryptor and your private key to recover all your files within one working day.
 
4. What is Bitcoin?
 
Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is 
independent of any central authority. Bitcoins can be transferred through a computer or a smartphone withour an intermediate
financial institution.
 
5. How to make a payment with Bitcoin?
 
You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you.
 
About Based on Bitcoin Wallet
 
  1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/)
 
  2) Buy necessary amount of Bitcoins. Our recommendations are as follows.
     LocalBitcoins.com -- the fastest and easiest way to buy and sell Bitcoins.
     CoinCafe.com -- the simplest and fastest way to buy, sell and use Bitcoins.
     BTCDirect.eu -- the best for Europe.
     CEX.IO -- Visa / MasterCard
     CoinMama.com -- Visa / MasterCard
     HowToBuyBitcoins.info -- discover quickly how to buy and sell Bitcoins in your local currency.
 
  3) As mentioned above, send about 0.15 BTC (equivalent to 100 USD) to our Bitcoin receiving address.
 
  4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon.
 
About Based on Perfect Money
 
  1) Create a Perfect Money account. (https://perfectmoney.is)
 
  2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc)
     input our Bitcoin receiving address in the "Bitcoin Wallet" textbox.
     input 100 in the "Amount" textbox, the amount of Bitcoin will be calculated automatically.
     click "PAY" button, then you can complete you payment with your Perfect Money account and local debit card.
 
6. If you have any problem, please feel free to contact us via official email.
 
Best Regards
VenusLocker Team
 
 
Unfortunetely, there is currently no way to decrypt this ransomware unless the system was disconnected from the internet at the time of infection, or if the malware author's server goes offline.

Edited by Grinler, 05 August 2016 - 08:34 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 love24you

love24you

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 04 August 2016 - 03:09 AM

My file name changes: MjAxNjA2MjgwOTEyMzRfMjc5ODQuanBn.Venusp



#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 04 August 2016 - 08:18 AM

My file name changes: MjAxNjA2MjgwOTEyMzRfMjc5ODQuanBn.Venusp

 

It's the same infection.

 

The ransomware will encrypt the following files and add ".Venusf".

 

 

,.txt, .ini, .php, .html, .css, .py, .c, .cpp, .cc, .h, .cs, .log, .pl, .java, .doc, .dot, .docx, .docm, .dotx, .dotm, .rtf, .wpd, .docb, .wps, .msg, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .class, .jar, .csv, .xml, .dwg, .dxf, .asp

 

Any other file types are still encrypted, but only the first 512 bytes, and have the extension ".Venusp". For some files, this might make them slightly recoverable if the header is reconstructed.

 

The filenames can be renamed at least, they are just base64-encoded. The filename you posted was originally "20160628091234_27984.jpg".

 

Can you share a few encrypted files? There is no way to tell if the virus failed to connect to the criminals' server - if it did, I can decrypt the files, but it's a very slim chance.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users