Mickyj's Mindspillage

29 Comments

• #1 by mickyj on June 3, 2014 - 6:29 pm

  Reply Quote

  

  The previous and similar version of this malware (has different text) apparently renames files and puts
  “.encrypted” at the end of the file name

• #2 by mickyj on June 4, 2014 - 9:26 am

  Reply Quote

  

  We have looked through the data files and many seem to not be encrypted. We have started stumbling over randomly names files to “.encrypted” at the end of the file name.

  It looks like the virus had not fnished the job when it alerted the user so we can save some files for this person.

  Each attacked folder has a file called “PLEASE_READ.txt” which contains the same message as the popup and the session key.

  There does not appear to be a list of files in the registry to aide detection of the attacked files. Still looking.

• #3 by mickyj on June 4, 2014 - 9:31 am

  Reply Quote

  

  text file contents

  All your files was encrypted with CryptoLocker!

  This means that without a decryption key the recovery of your files is not possible.
  If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua

  You have 3 days to pay for my services. After this period, you will lose all your files.

  Anti-virus software can remove Cryptolocker, but can not decrypt your files. The only way to recover your files – is to pay for the decryption key.

  Information for IT-specialists:

  Data was encrypted with AES (Rijndael) algorithm with the session key length of 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into CryptoLocker. Private-key for decryption of the session key is stored only in my database.
  To crack this key, you will need more than a million years time.
  —- Encrypted Session Key Begin —-
  B94D5058DCC41C9B964CDDD468EF6CB91372E8E1A46AD77F83FB86B7ED515AA8BD79BAA29146B773507CB3CA9BAA007F04E7126C86D7BEF67C318172A6E8BD0A2C9B24BA5AC5C8C7A66C7E0CF14379C7A406AA696A3711AF4F1C69C5C8E308B9014FFA5130AA6C6B4E47BE2BA7EAF9609BFEC82C50B9F3BC0AFE65F9F7181B0702DA2A5829912B9981602D48668C59D79A1896EE42BEF46251E53E5109A6B2D739F18D379FF52CE3B3248D4138716BD04318B453D4316A5F89C97A398348A7F515ACE5D15C17FBFF000F08640406E34E7EDFB4CBA58CE98D508806E0437F2093605453D0E1FCE4E39BF7D36AD46E82254E16F2507A0FE6CA572C823CF25761F6
  —- Encrypted Session Key End —-

• #4 by mickyj on June 4, 2014 - 9:34 am

  Reply Quote

  

  Here is the low down from Symantec

  http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-060208-2817-99

• #5 by mickyj on June 4, 2014 - 10:23 am

  Reply Quote

  

  We have the registry key
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  “atyvuqyc”=”C:\\windows\\uquhotyq.exe”

  But do not have the Bittorrent key listed in the Symantec article.

  I copied the Malware to a USB key and Trend Micro WorryFree imeadiatly killed it (Which is good).

• #6 by mickyj on June 4, 2014 - 10:38 am

  Reply Quote

  

  Trend Detects it as TROJ_CRYPTOLOCKER.A

• #7 by mickyj on June 4, 2014 - 10:56 am

  Reply Quote

  

  This has may other names. See here for the analysis https://www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/

• #8 by mickyj on June 4, 2014 - 11:33 am

  Reply Quote

  

  http://hackermedicine.com/tag/trojan-cryptolocker-f/

• #9 by mickyj on June 4, 2014 - 12:59 pm

  Reply Quote

  

  Hmm looks like this particular infection came from Russia/

  IP address : 188.120.249.86
  Country : Russian Federation
  Region: Moscow City

  mail came from the server server mailformail.ru

  It tried to get the user to click the following link
  energymar.com/data/electricity/view/get/energy.php?e=id=XXXXXXXXXXXXXXXXXXXXX

• #10 by mickyj on June 4, 2014 - 1:37 pm

  Reply Quote

  

  Affected file list

  Windows Boot Configuration Data file located in
  :\Boot\BCD

  Then there are a bunch of file types. I noted that some files that were encrypted did not have an extension and the Malware must have worked out that they were a Doc or Docx file (Or other) by reading the mime header and encrypted it anyway.

  docx
  docx
  doc
  xls
  pst
  msg
  pdf
  JPG
  MPG
  zip
  xlsx
  ppt
  htm
  thmx
  pptx
  mpp
  xlsm
  vsd
  ppsx
  css
  TIF
  mht
  rtf
  mp4
  dot
  rar
  dotx
  mov
  js
  shs
  THM
  rdp
  BUP
  IFO
  VOB

• #11 by mickyj on June 4, 2014 - 1:38 pm

  Reply Quote

  

  I should mention, it did not hit every file. We had many folders with some files encrypted and others not.

• #12 by mickyj on June 4, 2014 - 5:15 pm

  Reply Quote

  

  The good news is that I only found the one exe file on the server that was a virus. I don’t trust the OS so it will be blown away however, currently this thing looks to be removable.

  The other good news is that this is a Windows 7 PC running Volume Shadow copy. A quick visit to \\127.0.0.1\c$ and restore previous versions allows me to get almost all data back, to within 1 day of the infection.

• #13 by mickyj on June 4, 2014 - 8:41 pm

  Reply Quote

  

  I emailed the email address in this message and this is the reply

  —–Original Message—–
  From: John Doe [mailto:decrypt-request@mail.ua]
  Sent: Wednesday, 4 June 2014 4:49 PM
  To:
  Subject: Re: Help I need decryption

  Hello,
  Your PC data was encrypted with my virus. You have 2 ways to solve this problem:
  1. Format your disk (all your data will be lost).
  2. Buy a decryption key from me and decrypt/restore all your data.

  To get back your data you need to pay 1000 USD for the decryption key. Payment should be made via Western Union or MoneyGram payment systems.

  FAQ:

  1. What Western Union and MoneyGram?
  To learn more about money transfer systems, please visit:
  http://www.westernunion.com/
  http://global.moneygram.com/en

  2. Can you make a discount?
  Unfortunately, no.

  3. Do you guarantee that my data will be restored?
  I give you 100 guarantee that all encrypted data will be restored. If you have any doubts about it, you can send me one of .encrypted files and Encrypted Session Key value.
  As a proof you will get back decrypted data from this file.

• #14 by mickyj on June 4, 2014 - 8:41 pm

  Reply Quote

  

  Here is his email header to me (With my details redacted)
  Return-path:
  Envelope-to:
  Delivery-date: Wed, 04 Jun 2014 17:20:05 +1000
  Received: from [] (helo=postoffice03.internal)
  by mail01.internal with esmtp (Exim 4.71)
  (envelope-from )
  id 1Ws5UT-0007Ct-6X
  for ; Wed, 04 Jun 2014 17:20:05 +1000
  Received: from [185.5.136.105] (helo=f434.i.mail.ru)
  by postoffice03.internal with esmtp (Exim 4.71)
  (envelope-from )
  id 1Ws5UR-00023g-Se
  for ; Wed, 04 Jun 2014 17:20:05 +1000
  DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ua; s=mail;
  h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:Mime-Version:Subject:To:From; bh=ww/CNnF5lm4EPUl539VY4aj2HQZ/6HAfchl/Nt0mC/8=;
  b=YqPFuzDXMpwx9HBmfJ4prsnijuSWTan4c/J14jDcipZetBg6I6JQURAcrndWCDKUMfl9hix+9ZJE/kP9iCa/J1fV0qBKK+0x+K4t+6gUJKKzqjRs2ApYeCBPTGxD/Bpx5s+N0bWIgLPAjJlS61aXklXCyJxbKKxNjUdtjclvSnQ=;
  Received: from mail by f434.i.mail.ru with local (envelope-from )
  id 1Ws5TB-0003H6-FU
  for ; Wed, 04 Jun 2014 11:19:49 +0400
  Received: from [84.113.242.162] by e.mail.ru with HTTP;
  Wed, 04 Jun 2014 11:18:45 +0400
  From: =?UTF-8?B?Sm9obiBEb2U=?=
  To:
  Subject: =?UTF-8?B?UmU6IEhlbHAgSSBuZWVkIGRlY3J5cHRpb24=?=
  Mime-Version: 1.0
  X-Mailer: Mail.Ru Mailer 1.0
  X-Originating-IP: [84.113.242.162]
  Date: Wed, 04 Jun 2014 11:18:45 +0400
  Reply-To: =?UTF-8?B?Sm9obiBEb2U=?=
  X-Priority: 3 (Normal)
  Message-ID: <1401866325.489546289@f434.i.mail.ru>
  Content-Type: multipart/alternative;
  boundary=”–ALT–Cvxjtxm01401866325″
  X-Mras: Ok
  X-Spam: undefined
  In-Reply-To: .com.au>
  References: .com.au>

• #15 by mickyj on June 4, 2014 - 11:19 pm

  Reply Quote

  

  Something a little more formal that I wrote on the original version http://www.crn.com.au/Feature/364753,uncracking-cryptolocker.aspx

  Here is a link to a Cryptolocker prevention kit http://msmvps.com/blogs/bradley/archive/2013/10/15/cryptolocker-prevention-kit.aspx

• #16 by mickyj on June 5, 2014 - 11:45 am

  Reply Quote

  

  The file names are likely unique to this infection however there are two temp folders in the users temporary file ares.

  Temp1_bill_11c47bb59cd308388e6161f699319249.zip
  Temp1_bill_185c97df66a7733ec7bf3b66113e81ed.zip

  Obviously the infection comes down in a Zip file.

  I found only images and .js files in the termporary internet files. There is nothing in the Windows temp folder nor in the local system services profiles (including the temporary internet files). There is nothing in the Internet Explorer Low Temporary Internet Files.

• #17 by mickyj on June 5, 2014 - 11:46 am

  Reply Quote

  

  The images in the email received by clients are nolonger available online

  http://energymar.com/files/nameset/images/aa1e3d5dea172a796b9f9196027a7dfa.png

  http://energymar.com/files/nameset/images/c0ab278af0a1811d58517654192369dd.jpg

• #18 by mickyj on June 5, 2014 - 12:11 pm

  Reply Quote

  

  Looking at the files downloaded I can see custom EOT (Internet Explorer Font files) in the Termpoary Internet files. Wondering if there is any data in these files we can use to to further pinpoint the hacker. There seems to be a lot of text in these files. (They might also have been pinched from the real Energy Australia website).

• #19 by mickyj on June 5, 2014 - 12:29 pm

  Reply Quote

  

  Looks like many of the internet links accessed when this event triggers use resources linked into the real Enegy Australia Website.

  It also looks like the hacker is making money from Google Adwords from the site. not sure yet.

  Here are the URLS in th order they were accessed.

  http://energymar.com/data/electricity/view/get/energy.php?eid=974754845476552

  http://energymar.com/data/electricity/view/get/energy.php?action=53872d333e51f9bab1c7161c3ed0808e

  http://energymar.com/qt2/app/quoteservice/followme?mobile=false

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434419599&cv=7&fst=1401434419599&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D2243370066247.2017%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://energymar.com/data/electricity/view/get/2files/activityi_data/a.htm

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434419549&cv=7&fst=1401434419549&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://energymar.com/data/electricity/view/get/2files/activityi.htm

  http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=2243370066247.2017?

  http://energymar.com/data/electricity/view/get/2files/followme.htm

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434403472&cv=7&fst=1401434403472&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D8490257177540.451%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434403371&cv=7&fst=1401434403371&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=8490257177540.451?

  http://www.energyaustralia.com.au/qt2/app/quoteservice/followme?mobile=false

  http://www.energyaustralia.com.au/about-us/media-centre/current-news/energyaustralia-reinforces-commitment-to-improved-sales-processes-post-accc

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434370366&cv=7&fst=1401434370366&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=2&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=0&url=http%3A//www.energyaustralia.com.au/about-us/media-centre/current-news/energyaustralia-reinforces-commitment-to-improved-sales-processes-post-accc&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://www.energyaustralia.com.au/about-us/media-centre/current-news/energyaustralia-reinforces-commitment-to-improved-sales-processes-post-accc

  http://energymar.com/data/electricity/view/get/energy.php?action=9c415315dee4e5455c41024a11deb904

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434291837&cv=7&fst=1401434291837&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D2699610595580.018%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434291765&cv=7&fst=1401434291765&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=1&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=2699610595580.018?

  http://www.energyaustralia.com.au/favicon.ico

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434279965&cv=7&fst=1401434279965&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=2&url=http%3A//4267471.fls.doubleclick.net/activityi%3Bsrc%3D4267471%3Btype%3DLandi-%3Bcat%3DHomep-%3Bord%3D1%3Bnum%3D9869523531519.277%3F&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401434279899&cv=7&fst=1401434279899&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

  http://4267471.fls.doubleclick.net/activityi;src=4267471;type=Landi-;cat=Homep-;ord=1;num=9869523531519.277?

  http://googleads.g.doubleclick.net/pagead/viewthroughconversion/996712443/?random=1401430101344&cv=7&fst=1401430101344&num=1&fmt=1&guid=ON&u_h=810&u_w=1441&u_ah=768&u_aw=1441&u_cd=24&u_his=0&u_tz=600&u_java=true&u_nplug=0&u_nmime=0&frm=1&url=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552&ref=http%3A//energymar.com/data/electricity/view/get/energy.php%3Feid%3D974754845476552

• #20 by mickyj on June 5, 2014 - 5:57 pm

  Reply Quote

  

  Looks like the website is now down (energymar.com). Here was the details used (real of fake) for registration.

  Domain name: energymar.com
  Domain idn name: energymar.com
  Registry Domain ID:
  Registrar WHOIS Server: whois.reg.ru
  Registrar URL: https://www.reg.com/
  Registrar URL: https://www.reg.ru/
  Registrar URL: https://www.reg.ua/
  Updated Date: 2014-05-27
  Creation Date: 2014-05-27T12:20:56Z
  Registrar Registration Expiration Date: 2015-05-27
  Registrar: Domain names registrar REG.RU LLC
  Registrar IANA ID: 1606
  Registrar Abuse Contact Email: abuse@reg.ru
  Registrar Abuse Contact Phone: +7.4955801111
  Registry Registrant ID:
  Registrant Name: Michael Soentgen
  Registrant Organization: Private Person
  Registrant Street: Joop Geesinkweg 117
  Registrant City: Amsterdam
  Registrant State/Province: Amsterdam
  Registrant Postal Code: 1096
  Registrant Country: NL
  Registrant Phone: +31204707583
  Registrant Phone Ext:
  Registrant Fax:
  Registrant Fax Ext:
  Registrant Email: soentgen.michael@yahoo.com
  Registry Admin ID:
  Admin Name: Michael Soentgen
  Admin Organization: Private Person
  Admin Street: Joop Geesinkweg 117
  Admin City: Amsterdam
  Admin State/Province: Amsterdam
  Admin Postal Code: 1096
  Admin Country: NL
  Admin Phone: +31204707583
  Admin Phone Ext:
  Admin Fax:
  Admin Fax Ext:
  Admin Email: soentgen.michael@yahoo.com
  Registry Tech ID:
  Tech Name: Michael Soentgen
  Tech Organization: Private Person
  Tech Street: Joop Geesinkweg 117
  Tech City: Amsterdam
  Tech State/Province: Amsterdam
  Tech Postal Code: 1096
  Tech Country: NL
  Tech Phone: +31204707583
  Tech Phone Ext:
  Tech Fax:
  Tech Fax Ext:
  Tech Email: soentgen.michael@yahoo.com
  Name Server: ns1.firstvds.ru
  Name Server: ns2.firstvds.ru
  DNSSEC: Unsigned
  URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

• #21 by mickyj on June 5, 2014 - 6:10 pm

  Reply Quote

  

  Looks like the domain was dropped or Nameservers Removed on 31 May 2014

  was registered here

  ns2.firstvds.ru
  ns1.firstvds.ru

  using http://whoisrequest.org/history/

• #22 by mickyj on June 5, 2014 - 7:32 pm

  Reply Quote

  

  So I sent the malware a writer a sample to decrypt. They sent the file back with this message

  From: John Doe [mailto:decrypt-request@mail.ua]
  Sent: Thursday, 5 June 2014 4:10 PM
  To:
  Subject: Re[2]:

  See decrypted file in attach. After you pay, I will send you decryption software. If you agree to pay, I give you payment details.

• #23 by mickyj on June 5, 2014 - 7:36 pm

  Reply Quote

  

  Looks like the hacker replied to me using web mail and their IP may just have been captured

  Return-path:
  Envelope-to:
  Delivery-date: Thu, 05 Jun 2014 16:41:04 +1000
  Received: from [] (helo=postoffice03.internal)
  by mail01.internal with esmtp (Exim 4.71)
  (envelope-from )
  id 1WsRMF-000680-TM
  for ; Thu, 05 Jun 2014 16:41:04 +1000
  Received: from [217.69.140.242] (helo=f346.i.mail.ru)
  by postoffice03.internal with esmtp (Exim 4.71)
  (envelope-from )
  id 1WsRLm-00027E-SW
  for u; Thu, 05 Jun 2014 16:41:03 +1000
  DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ua; s=mail;
  h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:Mime-Version:Subject:To:From; bh=oM6wsrm0OEHUknfqlpCLkp8vPngUoYEjC1O3kijw59E=;
  b=ozjtXqthi9FrtEIynWEkalQM6/HWRFKqZzaB2EsH2Ctnsjyvopu6ZecsCfbPwI8uA1e+ChdXCDIsUtMt8MgPLIV+ZpqMkLSRbTIhGqpfHRy+kFWtt9JlsUqEplMec+YFj99H+WIfIRTP8v+uZ+OCGOxPU89U6U5g6Em3t6UZ//M=;
  Received: from mail by f346.i.mail.ru with local (envelope-from )
  id 1WsRLg-0005gG-UK
  for ; Thu, 05 Jun 2014 10:40:29 +0400
  Received: from [77.247.181.164] by e.mail.ru with HTTP;
  Thu, 05 Jun 2014 10:40:28 +0400
  From: =?UTF-8?B?Sm9obiBEb2U=?=
  To:
  Subject: =?UTF-8?B?UmVbMl06IEhlbHAgSSBuZWVkIGRlY3J5cHRpb24=?=
  Mime-Version: 1.0
  X-Mailer: Mail.Ru Mailer 1.0
  X-Originating-IP: [77.247.181.164]
  Date: Thu, 05 Jun 2014 10:40:28 +0400
  Reply-To: =?UTF-8?B?Sm9obiBEb2U=?=
  X-Priority: 3 (Normal)
  Message-ID: <1401950428.978176915@f346.i.mail.ru>
  Content-Type: multipart/mixed;
  boundary=”—-1e7w11ky-dqTTljk8wPsEE8q9:1401950428″
  X-Mras: Ok
  X-Spam: undefined
  In-Reply-To: <13e74555759a6fee1d748ea2255466143f03ecc2@webmail..com.au>
  References: <13e74555759a6fee1d748ea2255466143f03ecc2@webmail..com.au>

• #24 by mickyj on June 5, 2014 - 7:51 pm

  Reply Quote

  

  Bummer, the person is on the TOR network.

  IP address77.247.181.164
  Hostname rainbowwarrior.torservers.net

• #25 by mickyj on June 14, 2014 - 12:24 pm

  Reply Quote

  

  After conversing via email with the creator of this menace, I have established that the 3 day limit in the warning is false. He can decrypt them after the limit has passed.

• #26 by mostafa siddiqui on January 29, 2015 - 9:45 pm

  Reply Quote

  

  my all doc encrypted by MZKICQN File type..i m poor person and live in bangladesh. pls help me.

  • #27 by mickyj on January 30, 2015 - 7:44 am

    Reply Quote

    

    Can you elaborate about the MZKICQN File type ?
    Are you being presented with a ransom notice?

• #28 by Mostafa Siddique on January 31, 2015 - 3:37 pm

  Reply Quote

  

  All of my DOC, XLS file have been encrypted through MZKICQN .
  When i open any file that random notice come.
  And asking me to procure a decrypted key againist public key .
  Pls solve my problem otherwise i m gona to be finished

  • #29 by mickyj on February 1, 2015 - 11:53 am

    Reply Quote

    

    Hello,
    I am still not sure what MZKICQN is. What version of Windows are you running ? Do you know if you have Volume shadow copy running on your Pc ? Do you have a backup ? Without paying the ransom, most of these malware can only be recovered from with a backup. Volume shadow might be turned on with Windows 7 and Windows 8 and may allow us to recover earlier versions of your files.