Searching for more information + wanted to give a heads up for you to pass on to your clients/friends/family.
Im new to joining bleepingcomputer but have always enjoyed the quality of information:
I am sure this will probably be redundant and not nearly as thorough as it could but, its the first time I have really had to deal with a crypted computer (dealt with other virus removals before mind you) and I thought I would at least share what I found. Hopefully it's of some use.
The source was a fraud UPS Email with a zip file attached:
(picture kept breaking when trying to embed)
The client had removed some files aready to I couldn't find any "branding" or splash screen asking for money.
I did find the ransom note in the recycle bin.
read very much like .crypted shown below but with minor changes:
All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay 0.60358 BTC (bitcoins).
1. Create Bitcoin wallet here:
2. Buy 0.60358 BTC with cash, using search here:
3. Send 0.60358 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files."
There was no "calling card" as I call it, all the files looked as they would normally with no renaming done to file or file type
Clients computer was full of all sorts of malware, however, there was a rootkit and trojan called Fileless.MTGEN (which from what I read is quite generic)
%appdata% (local, and roaming in particular) had a bunch of files to clear out.
Anyway, if you have dealt with a similar crypt, I would be curious if you know the name of it and if there is a decrypt key for it out there for future knowledge.
Edited by gorship, 05 July 2017 - 12:44 PM.