UPDATE: Be sure to read the comments to this post. I am posting new information and updates as comments. There is a lot of information there.
Yes, again we see Cryptolocker. My client emailed me the following “I received an email on Friday from Energy Australia that took me to a website and it asked me to run a program but I could not open anything I believe that email may have caused this issue if that is of any help”
This falls in line with other peoples observations i.e. http://blogs.appriver.com/Blog/bid/102814/New-CryptoLocker-Has-a-Walkabout
We have not yet worked out how this version works nor what files have been affected. Here is the text
!!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker! This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua You have 3 days to pay for my services. After this period, you will lose all your files. Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key. Information for IT-specialist: Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.
Here is a photo
This is the nasty email that began it all
#1 by mickyj on June 3, 2014 - 6:29 pm
Quote
The previous and similar version of this malware (has different text) apparently renames files and puts
“.encrypted” at the end of the file name
#2 by mickyj on June 4, 2014 - 9:26 am
Quote
We have looked through the data files and many seem to not be encrypted. We have started stumbling over randomly names files to “.encrypted” at the end of the file name.
It looks like the virus had not fnished the job when it alerted the user so we can save some files for this person.
Each attacked folder has a file called “PLEASE_READ.txt” which contains the same message as the popup and the session key.
There does not appear to be a list of files in the registry to aide detection of the attacked files. Still looking.
#3 by mickyj on June 4, 2014 - 9:31 am
Quote
text file contents
All your files was encrypted with CryptoLocker!
This means that without a decryption key the recovery of your files is not possible.
If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua
You have 3 days to pay for my services. After this period, you will lose all your files.
Anti-virus software can remove Cryptolocker, but can not decrypt your files. The only way to recover your files – is to pay for the decryption key.
Information for IT-specialists:
Data was encrypted with AES (Rijndael) algorithm with the session key length of 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into CryptoLocker. Private-key for decryption of the session key is stored only in my database.
To crack this key, you will need more than a million years time.
—- Encrypted Session Key Begin —-
B94D5058DCC41C9B964CDDD468EF6CB91372E8E1A46AD77F83FB86B7ED515AA8BD79BAA29146B773507CB3CA9BAA007F04E7126C86D7BEF67C318172A6E8BD0A2C9B24BA5AC5C8C7A66C7E0CF14379C7A406AA696A3711AF4F1C69C5C8E308B9014FFA5130AA6C6B4E47BE2BA7EAF9609BFEC82C50B9F3BC0AFE65F9F7181B0702DA2A5829912B9981602D48668C59D79A1896EE42BEF46251E53E5109A6B2D739F18D379FF52CE3B3248D4138716BD04318B453D4316A5F89C97A398348A7F515ACE5D15C17FBFF000F08640406E34E7EDFB4CBA58CE98D508806E0437F2093605453D0E1FCE4E39BF7D36AD46E82254E16F2507A0FE6CA572C823CF25761F6
—- Encrypted Session Key End —-
#4 by mickyj on June 4, 2014 - 9:34 am
Quote
Here is the low down from Symantec
http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-060208-2817-99
#5 by mickyj on June 4, 2014 - 10:23 am
Quote
We have the registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“atyvuqyc”=”C:\\windows\\uquhotyq.exe”
But do not have the Bittorrent key listed in the Symantec article.
I copied the Malware to a USB key and Trend Micro WorryFree imeadiatly killed it (Which is good).
#6 by mickyj on June 4, 2014 - 10:38 am
Quote
Trend Detects it as TROJ_CRYPTOLOCKER.A
#7 by mickyj on June 4, 2014 - 10:56 am
Quote
This has may other names. See here for the analysis https://www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/
#8 by mickyj on June 4, 2014 - 11:33 am
Quote
http://hackermedicine.com/tag/trojan-cryptolocker-f/
#9 by mickyj on June 4, 2014 - 12:59 pm
Quote
Hmm looks like this particular infection came from Russia/
IP address : 188.120.249.86
Country : Russian Federation
Region: Moscow City
mail came from the server server mailformail.ru
It tried to get the user to click the following link
energymar.com/data/electricity/view/get/energy.php?e=id=XXXXXXXXXXXXXXXXXXXXX
#10 by mickyj on June 4, 2014 - 1:37 pm
Quote
Affected file list
Windows Boot Configuration Data file located in
:\Boot\BCD
Then there are a bunch of file types. I noted that some files that were encrypted did not have an extension and the Malware must have worked out that they were a Doc or Docx file (Or other) by reading the mime header and encrypted it anyway.
docx
docx
doc
xls
pst
msg
pdf
JPG
MPG
zip
xlsx
ppt
htm
thmx
pptx
mpp
xlsm
vsd
ppsx
css
TIF
mht
rtf
mp4
dot
rar
dotx
mov
js
shs
THM
rdp
BUP
IFO
VOB
#11 by mickyj on June 4, 2014 - 1:38 pm
Quote
I should mention, it did not hit every file. We had many folders with some files encrypted and others not.
#12 by mickyj on June 4, 2014 - 5:15 pm
Quote
The good news is that I only found the one exe file on the server that was a virus. I don’t trust the OS so it will be blown away however, currently this thing looks to be removable.
The other good news is that this is a Windows 7 PC running Volume Shadow copy. A quick visit to \\127.0.0.1\c$ and restore previous versions allows me to get almost all data back, to within 1 day of the infection.
#13 by mickyj on June 4, 2014 - 8:41 pm
Quote
I emailed the email address in this message and this is the reply
—–Original Message—–
From: John Doe [mailto:decrypt-request@mail.ua]
Sent: Wednesday, 4 June 2014 4:49 PM
To:
Subject: Re: Help I need decryption
Hello,
Your PC data was encrypted with my virus. You have 2 ways to solve this problem:
1. Format your disk (all your data will be lost).
2. Buy a decryption key from me and decrypt/restore all your data.
To get back your data you need to pay 1000 USD for the decryption key. Payment should be made via Western Union or MoneyGram payment systems.
FAQ:
1. What Western Union and MoneyGram?
To learn more about money transfer systems, please visit:
http://www.westernunion.com/
http://global.moneygram.com/en
2. Can you make a discount?
Unfortunately, no.
3. Do you guarantee that my data will be restored?
I give you 100 guarantee that all encrypted data will be restored. If you have any doubts about it, you can send me one of .encrypted files and Encrypted Session Key value.
As a proof you will get back decrypted data from this file.
#14 by mickyj on June 4, 2014 - 8:41 pm
Quote
Here is his email header to me (With my details redacted)] (helo=postoffice03.internal)); Wed, 04 Jun 2014 17:20:05 +1000); Wed, 04 Jun 2014 17:20:05 +1000); Wed, 04 Jun 2014 11:19:49 +0400.com.au> .com.au>
Return-path:
Envelope-to:
Delivery-date: Wed, 04 Jun 2014 17:20:05 +1000
Received: from [
by mail01.internal with esmtp (Exim 4.71)
(envelope-from
id 1Ws5UT-0007Ct-6X
for
Received: from [185.5.136.105] (helo=f434.i.mail.ru)
by postoffice03.internal with esmtp (Exim 4.71)
(envelope-from
id 1Ws5UR-00023g-Se
for
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ua; s=mail;
h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:Mime-Version:Subject:To:From; bh=ww/CNnF5lm4EPUl539VY4aj2HQZ/6HAfchl/Nt0mC/8=;
b=YqPFuzDXMpwx9HBmfJ4prsnijuSWTan4c/J14jDcipZetBg6I6JQURAcrndWCDKUMfl9hix+9ZJE/kP9iCa/J1fV0qBKK+0x+K4t+6gUJKKzqjRs2ApYeCBPTGxD/Bpx5s+N0bWIgLPAjJlS61aXklXCyJxbKKxNjUdtjclvSnQ=;
Received: from mail by f434.i.mail.ru with local (envelope-from
id 1Ws5TB-0003H6-FU
for
Received: from [84.113.242.162] by e.mail.ru with HTTP;
Wed, 04 Jun 2014 11:18:45 +0400
From: =?UTF-8?B?Sm9obiBEb2U=?=
To:
Subject: =?UTF-8?B?UmU6IEhlbHAgSSBuZWVkIGRlY3J5cHRpb24=?=
Mime-Version: 1.0
X-Mailer: Mail.Ru Mailer 1.0
X-Originating-IP: [84.113.242.162]
Date: Wed, 04 Jun 2014 11:18:45 +0400
Reply-To: =?UTF-8?B?Sm9obiBEb2U=?=
X-Priority: 3 (Normal)
Message-ID: <1401866325.489546289@f434.i.mail.ru>
Content-Type: multipart/alternative;
boundary=”–ALT–Cvxjtxm01401866325″
X-Mras: Ok
X-Spam: undefined
In-Reply-To:
References:
#15 by mickyj on June 4, 2014 - 11:19 pm
Quote
Something a little more formal that I wrote on the original version http://www.crn.com.au/Feature/364753,uncracking-cryptolocker.aspx
Here is a link to a Cryptolocker prevention kit http://msmvps.com/blogs/bradley/archive/2013/10/15/cryptolocker-prevention-kit.aspx
#16 by mickyj on June 5, 2014 - 11:45 am
Quote
The file names are likely unique to this infection however there are two temp folders in the users temporary file ares.
Temp1_bill_11c47bb59cd308388e6161f699319249.zip
Temp1_bill_185c97df66a7733ec7bf3b66113e81ed.zip
Obviously the infection comes down in a Zip file.
I found only images and .js files in the termporary internet files. There is nothing in the Windows temp folder nor in the local system services profiles (including the temporary internet files). There is nothing in the Internet Explorer Low Temporary Internet Files.
#17 by mickyj on June 5, 2014 - 11:46 am
Quote
The images in the email received by clients are nolonger available online
http://energymar.com/files/nameset/images/aa1e3d5dea172a796b9f9196027a7dfa.png
http://energymar.com/files/nameset/images/c0ab278af0a1811d58517654192369dd.jpg
#18 by mickyj on June 5, 2014 - 12:11 pm
Quote
Looking at the files downloaded I can see custom EOT (Internet Explorer Font files) in the Termpoary Internet files. Wondering if there is any data in these files we can use to to further pinpoint the hacker. There seems to be a lot of text in these files. (They might also have been pinched from the real Energy Australia website).
#19 by mickyj on June 5, 2014 - 12:29 pm
Quote
Looks like many of the internet links accessed when this event triggers use resources linked into the real Enegy Australia Website.
It also looks like the hacker is making money from Google Adwords from the site. not sure yet.
Here are the URLS in th order they were accessed.
http://energymar.com/data/electricity/view/get/energy.php?eid=974754845476552
http://energymar.com/data/electricity/view/get/energy.php?action=53872d333e51f9bab1c7161c3ed0808e
http://energymar.com/qt2/app/quoteservice/followme?mobile=false
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434419599&cv=7&fst=1401434419599&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D2243370066247.2017%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://energymar.com/data/electricity/view/get/2files/activityi_data/a.htm
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434419549&cv=7&fst=1401434419549&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://energymar.com/data/electricity/view/get/2files/activityi.htm
http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=2243370066247.2017?
http://energymar.com/data/electricity/view/get/2files/followme.htm
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434403472&cv=7&fst=1401434403472&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D8490257177540.451%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434403371&cv=7&fst=1401434403371&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=8490257177540.451?
http://www.energyaustralia.com.au/qt2/app/quoteservice/followme?mobile=false
http://www.energyaustralia.com.au/about-us/media-centre/current-news/energyaustralia-reinforces-commitment-to-improved-sales-processes-post-accc
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434370366&cv=7&fst=1401434370366&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=2&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=0&url=http%3A//www.energyaustralia.com.au/about-us/media-centre/current-news/energyaustralia-reinforces-commitment-to-improved-sales-processes-post-accc&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://www.energyaustralia.com.au/about-us/media-centre/current-news/energyaustralia-reinforces-commitment-to-improved-sales-processes-post-accc
http://energymar.com/data/electricity/view/get/energy.php?action=9c415315dee4e5455c41024a11deb904
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434291837&cv=7&fst=1401434291837&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D2699610595580.018%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434291765&cv=7&fst=1401434291765&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=2699610595580.018?
http://www.energyaustralia.com.au/favicon.ico
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434279965&cv=7&fst=1401434279965&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D9869523531519.277%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434279899&cv=7&fst=1401434279899&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=9869523531519.277?
http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401430101344&cv=7&fst=1401430101344&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552
#20 by mickyj on June 5, 2014 - 5:57 pm
Quote
Looks like the website is now down (energymar.com). Here was the details used (real of fake) for registration.
Domain name: energymar.com
Domain idn name: energymar.com
Registry Domain ID:
Registrar WHOIS Server: whois.reg.ru
Registrar URL: https://www.reg.com/
Registrar URL: https://www.reg.ru/
Registrar URL: https://www.reg.ua/
Updated Date: 2014-05-27
Creation Date: 2014-05-27T12:20:56Z
Registrar Registration Expiration Date: 2015-05-27
Registrar: Domain names registrar REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: abuse@reg.ru
Registrar Abuse Contact Phone: +7.4955801111
Registry Registrant ID:
Registrant Name: Michael Soentgen
Registrant Organization: Private Person
Registrant Street: Joop Geesinkweg 117
Registrant City: Amsterdam
Registrant State/Province: Amsterdam
Registrant Postal Code: 1096
Registrant Country: NL
Registrant Phone: +31204707583
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: soentgen.michael@yahoo.com
Registry Admin ID:
Admin Name: Michael Soentgen
Admin Organization: Private Person
Admin Street: Joop Geesinkweg 117
Admin City: Amsterdam
Admin State/Province: Amsterdam
Admin Postal Code: 1096
Admin Country: NL
Admin Phone: +31204707583
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: soentgen.michael@yahoo.com
Registry Tech ID:
Tech Name: Michael Soentgen
Tech Organization: Private Person
Tech Street: Joop Geesinkweg 117
Tech City: Amsterdam
Tech State/Province: Amsterdam
Tech Postal Code: 1096
Tech Country: NL
Tech Phone: +31204707583
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: soentgen.michael@yahoo.com
Name Server: ns1.firstvds.ru
Name Server: ns2.firstvds.ru
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
#21 by mickyj on June 5, 2014 - 6:10 pm
Quote
Looks like the domain was dropped or Nameservers Removed on 31 May 2014
was registered here
ns2.firstvds.ru
ns1.firstvds.ru
using http://whoisrequest.org/history/
#22 by mickyj on June 5, 2014 - 7:32 pm
Quote
So I sent the malware a writer a sample to decrypt. They sent the file back with this message
From: John Doe [mailto:decrypt-request@mail.ua]
Sent: Thursday, 5 June 2014 4:10 PM
To:
Subject: Re[2]:
See decrypted file in attach. After you pay, I will send you decryption software. If you agree to pay, I give you payment details.
#23 by mickyj on June 5, 2014 - 7:36 pm
Quote
Looks like the hacker replied to me using web mail and their IP may just have been captured
Return-path:) ) )
Envelope-to:
Delivery-date: Thu, 05 Jun 2014 16:41:04 +1000
Received: from [] (helo=postoffice03.internal)
by mail01.internal with esmtp (Exim 4.71)
(envelope-from
id 1WsRMF-000680-TM
for ; Thu, 05 Jun 2014 16:41:04 +1000
Received: from [217.69.140.242] (helo=f346.i.mail.ru)
by postoffice03.internal with esmtp (Exim 4.71)
(envelope-from
id 1WsRLm-00027E-SW
for u; Thu, 05 Jun 2014 16:41:03 +1000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ua; s=mail;
h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:Mime-Version:Subject:To:From; bh=oM6wsrm0OEHUknfqlpCLkp8vPngUoYEjC1O3kijw59E=;
b=ozjtXqthi9FrtEIynWEkalQM6/HWRFKqZzaB2EsH2Ctnsjyvopu6ZecsCfbPwI8uA1e+ChdXCDIsUtMt8MgPLIV+ZpqMkLSRbTIhGqpfHRy+kFWtt9JlsUqEplMec+YFj99H+WIfIRTP8v+uZ+OCGOxPU89U6U5g6Em3t6UZ//M=;
Received: from mail by f346.i.mail.ru with local (envelope-from
id 1WsRLg-0005gG-UK
for ; Thu, 05 Jun 2014 10:40:29 +0400
Received: from [77.247.181.164] by e.mail.ru with HTTP;
Thu, 05 Jun 2014 10:40:28 +0400
From: =?UTF-8?B?Sm9obiBEb2U=?=
To:
Subject: =?UTF-8?B?UmVbMl06IEhlbHAgSSBuZWVkIGRlY3J5cHRpb24=?=
Mime-Version: 1.0
X-Mailer: Mail.Ru Mailer 1.0
X-Originating-IP: [77.247.181.164]
Date: Thu, 05 Jun 2014 10:40:28 +0400
Reply-To: =?UTF-8?B?Sm9obiBEb2U=?=
X-Priority: 3 (Normal)
Message-ID: <1401950428.978176915@f346.i.mail.ru>
Content-Type: multipart/mixed;
boundary=”—-1e7w11ky-dqTTljk8wPsEE8q9:1401950428″
X-Mras: Ok
X-Spam: undefined
In-Reply-To: <13e74555759a6fee1d748ea2255466143f03ecc2@webmail..com.au>
References: <13e74555759a6fee1d748ea2255466143f03ecc2@webmail..com.au>
#24 by mickyj on June 5, 2014 - 7:51 pm
Quote
Bummer, the person is on the TOR network.
IP address77.247.181.164
Hostname rainbowwarrior.torservers.net
#25 by mickyj on June 14, 2014 - 12:24 pm
Quote
After conversing via email with the creator of this menace, I have established that the 3 day limit in the warning is false. He can decrypt them after the limit has passed.
#26 by mostafa siddiqui on January 29, 2015 - 9:45 pm
Quote
my all doc encrypted by MZKICQN File type..i m poor person and live in bangladesh. pls help me.
#27 by mickyj on January 30, 2015 - 7:44 am
Quote
Can you elaborate about the MZKICQN File type ?
Are you being presented with a ransom notice?
#28 by Mostafa Siddique on January 31, 2015 - 3:37 pm
Quote
All of my DOC, XLS file have been encrypted through MZKICQN .
When i open any file that random notice come.
And asking me to procure a decrypted key againist public key .
Pls solve my problem otherwise i m gona to be finished
#29 by mickyj on February 1, 2015 - 11:53 am
Quote
Hello,
I am still not sure what MZKICQN is. What version of Windows are you running ? Do you know if you have Volume shadow copy running on your Pc ? Do you have a backup ? Without paying the ransom, most of these malware can only be recovered from with a backup. Volume shadow might be turned on with Windows 7 and Windows 8 and may allow us to recover earlier versions of your files.