This is mostly for inforamtion and identification
Files encrypted as
(machine in question is offline right at a remote site so I can't upload a sample)
(I altered the DECRYPT-ID below)
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
firstname.lastname@example.org (this email appears to be unique based on a name from the client address book)
Please send email to all email addresses! We will help You as soon as possible!
IMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!
Ransom request email
From: name from client address book<email@example.com>
Date: Mon, Jan 29, 2018 at 2:05 PM
Subject: PC Help Information
We are glad to hear You! And We will be happy to help You!
Here is Your personal instruction:
Please read it carefully! After that just follow Your instruction and You will solve this problem very quickly!
Our kind regards,
name from client address book
Worldwide Children Charity Community
Her diagnosis: Acute Lymphoblastic Leukemia (ALL)
Need for medical help: $120k
Already contributed: 81k
this included an image of a child
Google image search finds
Details from onetimesecret
to decrypt your files You will need a special software with your special unique private key.
Price of software with your private key is JUST a 0.35 bitcoins. With this product you can decrypt all your files and protect Your system!!! Protect!!! Your system will work without any vulnerability.
Also You will have a FREE tech support for solving any PC troubles for 3 years!
or www.bitquick.co - fast way to buy bitcoin with cash
or www.coinatmradar.com - it`s a Bitcoin ATM (very simple and fast)
Register there and find a nearest Bitcoin seller. It`s easy! Choose more comfortable payment method for buying Bitcoin!
After that You should send bitcoins to the charity bitcoin wallet address:
All this process is very easy! It`s like a simple money transfer.
And now most important information:
We are the International Children Charity Organisation! Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help!
And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history!
Remember You can save many children destinies! Money for You is just a paper (You will earn money again in the next month), but for many children is a real chance to change their life!
Also ONLY WE can give to our customers very important benefits:
1) You will restore all Your data immediately
2) Your network vulnerabilities will be closed
3) You will protect Your system from the main attack in the future! It`s a very important option!
Only our community can give You this opportunity! All other anti-malware companies just promise it, but in fact they cannot protect You! It`s very terrible!
4) Main idea - many children will receive a donation and medical help from Your name!
5) You will have a free tech support for solving any PC troubles! Just ask a support and support will help You!
P.S> When your payment will be delivered you will receive your software with private key IMMEDIATELY!
P.P.S> In the next 24 hours your price may be doubled by the Main Server automatically.
So now you have a chance to restore your PC at low price!
From what I have gathered at this point the attack vector was a publically exposed RDP connection to a Windows 7 Pro computer with multiple accounts and likely weak passwords.
In addition to the normal encryption this variant appears to have damaged the user accounts / operating system in some way.
Issue became apparent when users could not connect to computer anymore. Local logons didn't work either.
I was unable to recover the passwords... something I usually have no problem with on a machin of this vintage.
Offline tools showed all accounts a locked out (Including the default administrator)
I was able to unlock the admin account and clear the password to logon, and discover the encrypted files.
I created a new admin user and was able to logon although I get warnings about unavailable system locations and the desktop doesn't render.
Machine is currently offline and I don't have access, where it will remain until I have good reason to recover it.
Edited by codebase, 31 January 2018 - 12:06 PM.