First time posting but long time follower of this community. My friend’s small accounting practice (two old ladies) was recently hit with a ransomware and their Quickbooks data was locked. Unfortunately it turns out that their backups were not working properly (incremental backups were corrupt) and recoverable data only goes back to mid-2016.You can imagine the horrific situation the ladies are going through right now...
I went online to see what ransomare they got hit with and ID-Ransomware identified the samples I uploaded as “Cryptomix Revenge”. The encrypted files were renamed with B2EAA5B401DD769549D03B8C05AB5A8D.tastylock filenames and extension and I could not find any mention of .tastylock anywhere online. This seems to be a new ransomware or it may just be a modified version of an existing ransomware.
I have a sample encrypted file and its original version attached here for anyone to look at and I hope someone can help us. https://drive.google.com/open?id=185Gtu95gretYjwbSzqGyZ1rffW_DuO7m
Original file: BIGLOGO.BMP
Encrypted file: B2EAA5B401DD769549D03B8C05AB5A8D.tastylock
Encryption file used for the attack: 1tasty.exe
The application file that seems to have been used to carry out the encryption is also included here if anyone is interested in looking at it. Using a text editor, the RSA Keys shown in the file resembles what are mentioned in this article (https://www.bleepingcomputer.com/news/security/new-arena-cryptomix-ransomware-variant-released/) but is for the .Arena cryptomix variant and not a .Tastylock version.
Here is the ransom note message but it did not indicate their demands or timeframe:
All you files an encrypted!
For decrypt write DECRYPT ID to firstname.lastname@example.org
YOU DECRYPT-ID-8e1bc1c6-793c-4eaa-85ce-fd4b06c54e32 number
Do not change!
Do not move files!
Do not use other programs (they do not work)!
You can lose your files if you do not follow the instructions!
Thank you very much to anyone that can help out!
Edited by overworked_parttimer, 26 December 2017 - 06:25 PM.