Yet another HiddenTear variant has been dug up, thanks to help from Daniel Gallagher.
The Domino Ransomware comes packaged as an installer for the (potentially illegal) Windows key cracking software KMSpico.
While the installer supposedly runs, the malware is actually encrypting all of the user's files with AES in the background. Encrypted files will have the extension ".domino" appended. The ransom note "README_TO_RECURE_YOUR_FILES.txt" is left behind with the following contents, asking the victim to contact the criminals at email@example.com.
Your data had been encrypt!
Send me 1 bitcoins to: 1AkHpPZ18f3QAygdMV2W4R4QjkzYxDkNEA
After send me your (bitcoin address + computer name + username) to firstname.lastname@example.org to get password!
If you didn't do this, your password to decrypt your file will be destroy after 72 hours. Winter Is Coming!
The ransom note is also shown in a separate box with an interesting ASCII art of a cow.
Since this ransomware is based on HiddenTear, victims may be able to recover their key using my HiddenTear BruteForcer, which requires a small enrypted PNG file (e.g. picture.png.domino).
Once a key is successfully recovered, files may be decrypted using the HiddenTear Decrypter.