Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MotoxLocker Help & Support - motox2016@protonmail.com


  • Please log in to reply
2 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 21 September 2016 - 08:41 AM

Yet another variant of the DetoxCrypto ransomware was discovered by MalwareHunterTeam, which displays its ransom note in Croatian.

 

The victim's files are encrypted with AES, and have no extension added, or any file markers. The only way to identify this variant is by the wallpaper left on the victim's desktop, telling them to contact the criminals at the email address "motox2016@protonmail.com".

 

CsztKt0XYAAVUqW.jpg

 

This variant pretends to be a PDF document in order to run, and for persistence, the executable pretends to be "TrendMicro".

 

This particular variant is decryptable, and I have released a decrypter for it. :) To decrypt files, you will just need what the program calls the "public key", a random 16-character string. This is displayed in the ransom screen, and is also saved at %USERPROFILE%\TrendMicro\key.pkm. My decrypter will automatically search for this file and load it if found.

 

To note, since there is no file marker or extension, I cannot completely tell what files were not encrypted, other than to guess by the filesize. A backup of any files altered are made with the extension ".bak" to be safe.

 

https://download.bleepingcomputer.com/demonslay335/MotoxDecrypter.zip

 

 

There is also another variant of this same ransomware that uses the email address "motox2016@mail2tor.com". This variant cannot be decrypted at this time unfortunately.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 21 September 2016 - 12:45 PM

Confusion. The same email motox2016@mail2tor.com in the first variant Detox.

 

Motox <- this is Serpico + Comments

http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-26-2016-cows-wildfire-locker-locky-and-more/


Edited by Amigo-A, 21 September 2016 - 12:47 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 21 September 2016 - 12:50 PM

We must, as a minimum, specify the names of both options MotoxLocker - this is №2 from Serpico, but it can be deciphered. 


Edited by Amigo-A, 21 September 2016 - 01:01 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users