Ransomware Decryption Tool


decrypt-ransomware-files

Berikut ini beberapa informasi berkaitan dengan Decryption Tool untuk WannaCrypt/WannaCry maupun Ransomware lainnya:

  • bleepingcomputer.com | With the Success of WannaCry, Imitations are Quickly In Development
  • thehackernews.com | WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom
  • nomoreransom.org |DECRYPTION TOOLS
  • bankinfosecurity.com | WannaCry Ransomware: Tools Decrypt for Free
  • #avast.com | Free Ransomware Decryption Tools


#Lawrence Abrams | bleepingcomputer.com | May 15, 2017

With the Success of WannaCry, Imitations are Quickly In Development


 

With the successful launch of the WannaCry Ransomware last Friday, ransomware developers are being quick to release their own imitations.  Currently there are 5 different WannaCry knockoffs in various forms of development. Of particular interesting is what appears to be a WannaCry Ransomware generator that allows you to customize the appearance and text of the lock screen.

Let’s take a look at what each of these imitations have to offer. You can click on any of the images below to see a full size image.

DarkoderCrypt0r

Of the four WannaCry imitators, DarkoderCrypt0r is the farthest along in development as it actually encrypts files on a computer. As you can see below, the developers copied the WannaCry lock screen and adapted it a bit with their own title, bitcoin addresses, etc. Currently this in-development ransomware as it is only encrypting files on the victim’s Desktop. When encrypting files it will append the .DARKCRY extension to the encrypted file’s name. The executable will also be named @DaKryEncryptor@.exe.

DarkoderCrypt0r
DarkoderCrypt0r

Sample: 2ffd9ba7b5dbccf734da02498fa2a6af8caaf8b9f98d4b32bc226516eee5c832
Released: 5/14/17

Aron WanaCrypt0r 2.0 Generator v1.0

Aran wanaCrypt0r 2.0 Generator v1.0 is an interesting sample as it is being developed to be a customizable WannaCry Ransomware generator. This program allows you to create a customized WannaCry lock screen where a developer can customize the text, images, and colors of the lock screen.

The generator will most likely then use these customizations to create a customized WanaCrypt0r ransomware executable that can then be distributed by a wannabe ransomware developer in order to generate ransoms. At this time, the generator only allows you to customize the lock screen and then display the customized screen. It does not generate a customized ransomware executable.

Aron WanaCrypt0r 2.0 Generator v1.0
Aron WanaCrypt0r 2.0 Generator v1.0

Sample: b46c6addef8894d5079f592152481d259338175806eb9a983ddb8edb9ec5aa44
Released: 5/14/17

Wanna Crypt v2.5

Wanna Crypt v2.5 is in the very beginning stages of development as it only displays the lock screen shown below when launched.

Wanna Crypt v2.5
Wanna Crypt v2.5

 

Sample: 925b3acaa3252bf4d660eab22856fff155f3106c2fee7567711cb34374b499f3
Released: 5/14/17

WannaCrypt 4.0

Like Wanna Crypt v2.5, WannaCrypt 4.0 is in the beginning stages of development and does not encrypt anything at this time. An interesting aspect of this sample is that the default language for the lock screen is Thai. As the original WannaCry does not support Thai, my guess is that the developer of this imitation is from Thailand.

WannaCrypt 4.0
WannaCrypt 4.0

Sample: cd7542f2d7f2285ab524a57bc04ae1ad9306a15b9efbf56ea7b002d99d4b974f
Released: 5/14/17

Wana Decrypt0r 2.0

Another in-development ransomware that uses the WannaCry screen. Being distributed as MS17-010.exe.

Wana Decrypt0r 2.0
WannaCrypt 4.0

Sample: a4704be3a77f989693188a4a505b62719ffe87718f8891ab5d3e1de1b1a57572
Released: 5/15/17

Source:

 


#Swati Khandelwal | thehackernews.com | Thursday, May 18, 2017

WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom


wannacry-ransomware-decryption-tool-unlock-files-free

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

WannaCry Ransomware Decryption Keys

The WannaCry’s encryption scheme works by generating a pair of keys on the victim’s computer that rely on prime numbers, a “public” key and a “private” key for encrypting and decrypting the system’s files respectively.

To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here’s the kicker: WannaCry “does not erase the prime numbers from memory before freeing the associated memory,” says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.

Note: Below I have also mentioned another tool, dubbed WanaKiwi, that works for Windows XP to Windows 7.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.” says Guinet

So, that means, this method will work only if:

  • The affected computer has not been rebooted after being infected.
  • The associated memory has not been allocated and erased by some other process.

In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!,” Guinet says.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API.

While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.

WanaKiwi: WannaCry Ransomware Decryption Tool

Good news is that another security researcher, Benjamin Delpy, developed an easy-to-use tool called “WanaKiwi,” based on Guinet’s finding, which simplifies the whole process of the WannaCry-infected file decryption.

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won’t work for every user due to its dependencies, still it gives some hope to WannaCry’s victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft’s operating system.

Source:

 


#nomoreransom.org | DECRYPTION TOOLS

IMPORTANT! Before downloading and starting the solution, read the how-to guide. Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files. Any reliable antivirus solution can do this for you.


Rakhni Decryptor (updated 18-5-2017 with Dharma / Crysis – support for .onion and .wallet extensions)

DOWNLOAD Tool made by Kaspersky Lab

RakhniDecryptor tool is designed to decrypt files encrypted by:

  • Dharma;
  • Crysis;
  • Chimera;
  • Rakhni;
  • Agent.iih;
  • Aura;
  • Autoit;
  • Pletor;
  • Rotor;
  • Lamer;
  • Lortok;
  • Cryptokluchen;
  • Democry;
  • Bitman (TeslaCrypt) version 3 and 4.

For more information please see this how-to guide. URI: https://www.nomoreransom.org/decryption-tools.html

  • Rannoh Decryptor (updated 20-12-2016 with CryptXXX v3)
  • Cry128 Decryptor
  • Amnesia Decryptor
  • Cry9 Decryptor
  • Damage Decryptor
  • Crypton Decryptor
  • Merry X-Mas Decryptor
  • BarRax Decryptor
  • Alcatraz Decryptor
  • Bart Decryptor
  • Crypt888 Decryptor
  • HiddenTear Decryptor
  • Noobcrypt Decryptor
  • CryptoMix Decryptor
  • Popcorn Decryptor
  • Marlboro Decryptor
  • GlobeImposter Decryptor
  • MRCR Decryptor
  • Globe3 Decryptor
  • Derialock Decryptor
  • PHP Ransomware Decryptor
  • WildFire Decryptor
  • Chimera Decryptor
  • Teslacrypt Decryptor
  • Shade Decryptor
  • CoinVault Decryptor
  • Jigsaw Decryptor
  • TM Ransomware File Decryptor
  • NMoreira Decryptor
  • Ozozalocker Decryptor
  • Globe Decryptor
  • Globe2 Decryptor
  • FenixLocker Decryptor
  • Philadelphia Decryptor
  • Stampado Decryptor
  • Xorist Decryptor
  • Nemucod Decryptor
  • Gomasom Decryptor
  • Linux.Encoder Decryptor

Source:

 


#Mathew J. Schwartz (euroinfosec) | bankinfosecurity.com | May 22, 2017

WannaCry Ransomware: Tools Decrypt for Free

Decryptors from French Researchers May Save Many Victims 


WannaCry Ransomware: Tools Decrypt for Free
WanaKiwi decrypts a Windows PC infected by WannaCry. (Source: Benjamin Delpy)

Good news for many victims of WannaCry: Free tools can be used to decrypt some PCs that were forcibly encrypted by the ransomware, providing the prime numbers used to build the crypto keys remain in Windows memory and have not yet been overwritten.

The decryption tools carry several caveats: Affected systems must not have been powered down or rebooted. Users must also have admin-level access to the infected system. And even then, security researchers caution, the tools still might not work with every type of infected system.

But the tools give WannaCry victims a potential way to restore their systems without having to consider whether they will pay their attackers. And security experts and law enforcement agencies recommend not paying ransoms, whenever possible, because they directly funds future cybercrime (see Please Don’t Pay Ransoms, FBI Urges).

WannaCry infections began sweeping worldwide May 12, infecting more than 200,000 Windows computers with a speed and severity not witnessed since the days of the Love Bug and SQL Slammer worms in the early 2000s (see Teardown: WannaCry Ransomware).

Whoever designed WannaCry added the ability for it to spread like a worm by targeting two leaked “Equation Group” exploits, including a Windows server message block protocol flaw, addressed by Microsoft for its newer Windows systems in March via the MS17-010 security update. The flaw, believed to have been built by the National Security Agency, and was leaked in April by the Shadow Brokers hacking group.

After the attacks began, late on May 12 Microsoft shared emergency updates for three operating systems it no longer officially supports – Windows XP, Windows Server 2003 and Windows 8 – to patch the SMB flaw.

French Security Researchers to the Rescue

After WannaCry first appeared, three French security researchers, working around the clock, reverse-engineered the ransomware and began developing, testing and releasing decryption tools. On Thursday, Adrien Guinet, a security researcher at Paris-based cybersecurity firm Quarkslab, released WannaKey, which can decrypt Windows XP systems. On Friday, Benjamin Delpy released WanaKiwi, which he built in his spare time, away from his day job at Banque de France. Throughout, their efforts have been supported and tested by Dubai-based security expert Matt Suiche.

Encryption keys – including the one used by WannaCry to forcibly encrypt a victim’s PC – are created by multiplying together two incredibly large prime numbers.

But there’s evidently a weakness in the Windows functionality that the developer of WannaCry tapped, called the Microsoft CryptoAPI, the researchers found. For at least a short time, Windows keeps a copy of the two prime numbers that it provided to WannaCry in memory. Accordingly, those primes can be recovered, independently used to compute the encryption key and then used to decrypt all forcibly encrypted data.

Try WanaKiwi First

Of the two tools, WanaKiwi is reportedly the easier one to use. Even better, Suiche reports, WanaKiwi can decrypt both Windows XP and Windows 7 systems. “This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2,” Suiche says in a blog post.

The takeaway: Try the tools, and do so immediately. “Do not reboot your infected machines and try wanakiwi ASAP*!” Suiche says, noting that victims should do this as soon as possible “because prime numbers may be overwritten in memory after a while.”

WanaKiwi in action on an infected Windows XP system. (Source: Matt Suiche.)

Suiche’s findings have been confirmed by the European Cybercrime Center – part of Europol, the EU’s law enforcement intelligence agency – which says via Twitter that the tools can “recover data in some circumstances.”

decrypting files tested by @EC3Europol & found to recover data in some circumstances: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d  https://twitter.com/msuiche/status/865443334550036481 

Photo published for WannaCry — Decrypting files with WanaKiwi + Demos – Comae Technologies

WannaCry — Decrypting files with WanaKiwi + Demos – Comae Technologies

Working Windows XP & 7 demos. #FRENCHMAFIA

blog.comae.io

“This is not a perfect solution,” Suiche tells Reuters. “But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups” which allow users to restore data without paying black-mailers.”

Threat intelligence firm Kryptos Logic tells Reuters that as of Wednesday, half of all IP addresses infected with WannaCry appeared to be in China and Russia – representing 30 percent and 20 percent of all infections globally, respectively – followed by the United States, with 7 percent of infections, and Britain, France and Germany, each with 2 percent of infections seen worldwide.

According to Costin Raiu, a researcher at Moscow-based security firm Kaspersky Lab, 98 percent of all WannaCry-infected systems appear to be running the Windows 7 operating system.

infection distribution by the Windows version. Worst hit – Windows 7 x64. The Windows XP count is insignificant.

As of 7 a.m. Eastern U.S. Time on Monday, 315 victims had paid 49 bitcoins – worth about $108,000 – to one of the three bitcoin wallets tied to the ransomware.

Hoping for Arrests

The WannaCry decryption tools may have arrived too late for some victims. Upon infection, WannaCry warns victims they have three days to pay $300 in bitcoin before the ransom rises to $600. If that isn’t paid after a week, the ransomware says that the data will be locked forever.

Even so – and if the free decryption tools haven’t worked – Delpy says that victims may have another option: Back up all files and wait for police to find and arrest the criminals involved. At that point, they should be able to recover the main key that was used to encrypt all systems, he says.

: backup all your files; 00000000.eky and your encrypted ones
When criminal will be arrested, main key will be used to decrypt all.

Of course, this strategy depends on WannaCry’s developer or developers being identified, caught and brought to justice. It’s not clear when – or if – that might ever happen.

Source:

 


#avast.com

Free Ransomware Decryption Tools


Hit by ransomware? Don’t pay the ransom!

Our free ransomware decryption tools can help decrypt files encrypted by the following forms of ransomware. Just click a name to see the signs of infection and get our free fix.

Want to help prevent future ransomware infections?

Download Avast Free Antivirus.

AES_NI

AES_NI is a ransomware strain that first appeared in December 2016. Since then, we’ve observed multiple variants, with different file extensions. For encrypting files, the ransomware uses AES-256 combined with RSA-2048.

Filename changes:

The ransomware adds one of the following extensions to encrypted files:
.aes_ni
.aes256
.aes_ni_0day

In each folder with at least one encrypted file, the file “!!! READ THIS – IMPORTANT !!!.txt” can be found. Additionally, the ransomware creates a key file with name similar to: [PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-Bravo NEW-20175267812-78.key.aes_ni_0day in C:\ProgramData folder.

Ransom message:

The file “!!! READ THIS – IMPORTANT !!!.txt” contains the following ransom note:

DOWNLOAD AES_NI FIX

Alcatraz Locker

Alcatraz Locker is a ransomware strain that was first observed in the middle of November 2016. For encrypting user’s files, this ransomware uses AES 256 encryption combined with Base64 encoding.

Filename changes:

Encrypted files have the “.Alcatraz” extension.

Ransom message:

After encrypting your files, a similar message appears (it is located in a file “ransomed.html” in the user’s desktop):

If Alcatraz Locker has encrypted your files, click here to download our free fix:

DOWNLOAD ALCATRAZ LOCKER FIX

Apocalypse

Apocalypse is a form of ransomware first spotted in June 2016. Here are the signs of infection:

Filename changes:

Apocalypse adds .encrypted, .FuckYourData, .locked, .Encryptedfile, or .SecureCrypted to the end of filenames. (e.g., Thesis.doc = Thesis.doc.locked)

Ransom message:

Opening a file with the extension .How_To_Decrypt.txt, .README.Txt, .Contact_Here_To_Recover_Your_Files.txt, .How_to_Recover_Data.txt, or .Where_my_files.txt (e.g., Thesis.doc.How_To_Decrypt.txt) will display a variant of this message:

DOWNLOAD APOCALYPSE FIX DOWNLOAD APOCALYPSEVM FIX

BadBlock

BadBlock is a form of ransomware first spotted in May 2016. Here are the signs of infection:

Filename changes:

BadBlock does not rename your files.

Ransom message:

After encrypting your files, BadBlock displays one of these messages (from a file named Help Decrypt.html):

If BadBlock has encrypted your files, click here to download our free fix:

DOWNLOAD BADBLOCK FIXfor 32-bit Windows DOWNLOAD BADBLOCK FIXfor 64-bit Windows

Bart

Bart is a form of ransomware first spotted at the end of June 2016. Here are the signs of infection:

Filename changes:

Bart adds .bart.zip to the end of filenames. (e.g., Thesis.doc = Thesis.docx.bart.zip) These are encrypted ZIP archives containing the original files.

Ransom message:

After encrypting your files, Bart changes your desktop wallpaper to an image like the one below. The text on this image can also be used to help identify Bart, and is stored on the desktop in files named recover.bmp and recover.txt.

If Bart has encrypted your files, click here to download our free fix:

Acknowledgement: We’d like to thank Peter Conrad, author of PkCrack, who granted us permission to use his library in our Bart decryption tool.

DOWNLOAD BART FIX

BTCWare

BTCWare is a ransomware strain that first appeared in March 2017. Since then, we observed five variants, that can be distinguished by encrypted file extension. The ransomware uses two different encryption methods – RC4 and AES 192.

Filename changes:

Encrypted file names will have the following format:
foobar.docx.[sql772@aol.com].theva
foobar.docx.[no.xop@protonmail.ch].cryptobyte
foobar.bmp.[no.btc@protonmail.ch].cryptowin
foobar.bmp.[no.btcw@protonmail.ch].btcware
foobar.docx.onyon

Furthermore, one of the following files can be found on the PC
Key.dat on %USERPROFILE%\Desktop

1.bmp in %USERPROFILE%\AppData\Roaming
#_README_#.inf or !#_DECRYPT_#!.inf in each folder with at least one encrypted file.

Ransom message:

After encrypting your files, the desktop wallpaper is changed to the following:

You may also see one of the following ransom notes:

DOWNLOAD BTCWARE FIX

Crypt888

Crypt888 (also known as Mircop) is a form of ransomware first spotted in June 2016. Here are the signs of infection:

Filename changes:

Crypt888 adds Lock. to the beginning of filenames. (e.g., Thesis.doc = Lock.Thesis.doc)

Ransom message:

After encrypting your files, Crypt888 changes your desktop wallpaper to one of the following:

If Crypt888 has encrypted your files, click here to download our free fix:

DOWNLOAD CRYPT888 FIX

CryptoMix (Offline)

CryptoMix (also known as CryptFile2 or Zeta) is a ransomware strain that was first spotted in March 2016. In early 2017, a new variant of CryptoMix, called CryptoShield emerged. Both variants encrypt files by using AES256 encryption with a unique encryption key downloaded from a remote server. However, if the server is not available or if the user is not connected to the internet, the ransomware will encrypt files with a fixed key (“offline key”).

Important: The provided decryption tool only supports files encrypted using an “offline key”. In cases where the offline key was not used to encrypt files, our tool will be unable to restore the files and no file modification will be done.

Filename changes:

Encrypted files will have one of the following extensions: .CRYPTOSHIELD, .rdmk, .lesli, .scl, .code, .rmd or .rscl.

Ransom message:

The following files may be found on the PC after encrypting files:

If CryptoMix has encrypted your files, click here to download our free fix:

DOWNLOAD CRYPTOMIX FIX

CrySiS

CrySiS (JohnyCryptor, Virus-Encode, Aura, Dharma) is a ransomware strain that has been observed since September 2015. It uses AES-256 combined with RSA-1024 asymmetric encryption.

Filename changes:

Encrypted files have many various extensions, including:
.johnycryptor@hackermail.com.xtbl,
.ecovector2@aol.com.xtbl,
.systemdown@india.com.xtbl,
.Vegclass@aol.com.xtbl,
.{milarepa.lotos@aol.com}.CrySiS,
.{Greg_blood@india.com}.xtbl,
.{savepanda@india.com}.xtbl,
.{arzamass7@163.com}.xtbl,
.{3angle@india.com}.dharma,
.{tombit@india.com}.dharma,
.wallet

Ransom message:

After encrypting your files, one of the following messages appears (see below). The message is located in “Decryption instructions.txt“, “Decryptions instructions.txt“, “README.txt“, “Readme to restore your files.txt” or “HOW TO DECRYPT YOUR DATA.txt” on the user’s desktop. Also, the desktop background is changed to one of the pictures below.

If CrySiS has encrypted your files, click here to download our free fix:

DOWNLOAD CRYSIS FIX

FindZip

FindZip is a ransomware strain that was observed at the end of February 2017. This ransomware spreads on Mac OS X (version 10.11 or newer). The encryption is based on creating ZIP files – each encrypted file is a ZIP archive, containing the original document.

Filename changes:

Encrypted files will have the .crypt extension.

Ransom message:

After encrypting your files, several files are created on the user’s desktop, with name variants of: DECRYPT.txt, HOW_TO_DECRYPT.txt, README.txt. They are all identical, containing the following text message:

Special: Because AVAST decryptors are Windows applications, it is necessary to install an emulation layer on Mac (WINE, CrossOver). For more information, please, read our blog post.

If Globe has encrypted your files, click here to download our free fix:

DOWNLOAD FINDZIP FIX

Globe

Globe is a ransomware strain that has been observed since August 2016. Based on variant, it uses RC4 or Blowfish encryption method. Here are signs of infection:

Filename changes:

Globe adds one of the following extensions to the file name: “.ACRYPT“, “.GSupport[0-9]“, “.blackblock“, “.dll555“, “.duhust“, “.exploit“, “.frozen“, “.globe“, “.gsupport“, “.kyra“, “.purged“, “.raid[0-9]“, “.siri-down@india.com“, “.xtbl“, “.zendrz“, “.zendr[0-9]“, or “.hnyear“. Furthermore, some of its versions encrypt the file name as well.

Ransom message:

After encrypting your files, a similar message appears (it is located in a file “How to restore files.hta” or “Read Me Please.hta“):

If Globe has encrypted your files, click here to download our free fix:

DOWNLOAD GLOBE FIX

HiddenTear

HiddenTear is one of the first open-sourced ransomware codes hosted on GitHub and dates back to August 2015. Since then, hundreds of HiddenTear variants have been produced by crooks using the original source code. HiddenTear uses AES encryption.

Filename changes:

Encrypted files will have one of the following extensions (but not limited to): .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed.

Ransom message:

After encrypting files, a text file (READ_IT.txt, MSG_FROM_SITULA.txt, DECRYPT_YOUR_FILES.HTML) appears on the user’s desktop. Various variants can also show a ransom message:

If HiddenTear has encrypted your files, click here to download our free fix:

DOWNLOAD HIDDENTEAR FIX

Jigsaw

Jigsaw is a ransomware strain that has been around since March 2016. It’s named after the movie character “The Jigsaw Killer”. Several variants of this ransomware use the Jigsaw Killer’s picture in the ransom screen.

Filename changes:

Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush, .uk-dealer@sigaint.org, or .gefickt.

Ransom message:

After encrypting your files, one of the screens below will appear:

If Jigsaw has encrypted your files, click here to download our free fix:

DOWNLOAD JIGSAW FIX

Legion

Legion is a form of ransomware first spotted in June 2016. Here are the signs of infection:

Filename changes:

Legion adds a variant of ._23-06-2016-20-27-23_$f_tactics@aol.com$.legion or .$centurion_legion@aol.com$.cbfto the end of filenames. (e.g., Thesis.doc = Thesis.doc._23-06-2016-20-27-23_$f_tactics@aol.com$.legion)

Ransom message:

After encrypting your files, Legion changes your desktop wallpaper and displays a popup, like this:

If Legion has encrypted your files, click here to download our free fix:

DOWNLOAD LEGION FIX

NoobCrypt

NoobCrypt is a ransomware strain that has been observed since the late July 2016. For encrypting user’s files, this ransomware uses AES 256 encryption method.

Filename changes:

NoobCrypt doesn’t change file name. Files that are encrypted are unable to be open with their associated application, however.

Ransom message:

After encrypting your files, a similar message appears (it is located in a file “ransomed.html” in the user’s desktop):

If NoobCrypt has encrypted your files, click here to download our free fix:

DOWNLOAD NOOBCRYPT FIX

Stampado

Stampado is a ransomware strain written using the AutoIt script tool. It has been around since August 2016. It is being sold on the dark web, and new variants keep appearing. One of its versions is also called Philadelphia.

Filename changes:

Stampado adds the .locked extension to the encrypted files. Some variants also encrypt the filename itself, so the encrypted file name may look either as document.docx.locked or 85451F3CCCE348256B549378804965CD8564065FC3F8.locked.

Ransom message:

After encryption is complete, the following screen will appear:

If Stampado has encrypted your files, click here to download our free fix:

DOWNLOAD STAMPADO FIX

SZFLocker

SZFLocker is a form of ransomware first spotted in May 2016. Here are the signs of infection:

Filename changes:

SZFLocker adds .szf to the end of filenames. (e.g., Thesis.doc = Thesis.doc.szf)

Ransom message:

When you try to open an encrypted file, SZFLocker displays the following message (in Polish):

If SZFLocker has encrypted your files, click here to download our free fix:

DOWNLOAD SZFLOCKER FIX

TeslaCrypt

TeslaCrypt is a form of ransomware first spotted in February 2015. Here are the signs of infection:

Filename changes:

The latest version of TeslaCrypt does not rename your files.

Ransom message:

After encrypting your files, TeslaCrypt displays a variant of the following message:

If TeslaCrypt has encrypted your files, click here to download our free fix:

DOWNLOAD TESLACRYPT FIX

 

Source:

Iklan

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: