MM Locker Ransomware
Этот криптовымогатель шифрует данные с помощью AES-256, а затем требует от 0.501049 до 1.011 биткоина (или $200), чтобы вернуть файлы обратно. На уплату выкупа пострадавшим даётся 72 часа. Ко всем зашифрованным файлам добавляется расширение .locked.
© Генеалогия: EDA2 >> Pompous (SkidLocker) >> MM Locker
По всему видно, что MM Locker является дальнейшим развитием Pompous (SkidLocker).
Записка с требованием выкупа называется READ_IT.txt. Обои заменяются изображением вымогателя ransom.jpg.
Содержание этой довольно обширной записки о выкупе:
(If you are in Notepad, please click the Format menu above ^^^^ and click Word Wrap)
Uh oh. It looks like your data has been the victim of the encryption thief. Your files have been encrypted with AES. Go look it up if you like, it is some impressive technology. Unfortunately you're going to have to pay some money to get your data back and your fee is approximately $400. I'll get right to the gory details for that:
* You have 72 hours to make this happen. Otherwise, your data is effectively lost for good. One keystroke will remove the necessary password for all time, and I don't even have to revisit your machine to do it.
* You will be paying by bitcoin. Your fee is 1.011. Pay this amount precisely, or I might not know who it was that paid in order to rescue them.
* You'll be using LocalBitcoins.com. There are numerous ways to pay for my bitcoins on there, and most importantly, it is fast. Did I mention you have 72 hours?
* The address you will be sending the bitcoins to is [Redacted].
* Then you will wait for me to get the unlock code for you. Your code will be shown here, [hxxp://let-me-help-you-with-that.webnode.com/], under the amount you paid. This may take a day or so: you are on my schedule now :P
* Once you have the code, you can unlock your data as follows:
*** Go to your Start Menu
*** In the search field, type "cmd".
*** Right click the cmd program.
*** Click Run As Administrator
*** Click Yes to allow it to run like that.
*** Type "cd /Users/[user]/"
*** Type "Decrypter.exe <Your Code>
*** Other people's codes will not work for you, obviously.
That is basically it. The rest of this document is a mini encouragement to get you to pay, so you can read it or not. F*** [redacted by editor] if I care.
* You'll never be able to find me. Police will never be able to find me. Go ahead and try them if you like, but don't expect your data back. They will be concerned about helping the community, not with helping you meet your deadline. If they say they need to keep your desktop for a few days, well lol, you probably won't be seeing your machine again soon, let alone your data. Certain things my look like they would be easy to trace back to me, but believe me, they aren't. I've been doing this for five years now and haven't been caught yet.
* Best Buy will have no ability to undo the encryption. Hell, even the NSA probably couldn't undo it. Well maybe they could, but I suspect you won't be a high priority for their computation clusters for at least a couple of years.
* In 72 hours, I will consider you lost. Hell, I may even visit you again and delete the encrypted versions just for kicks.
So just be thankful that it wasn't worse. I could have asked for more money. I could be working for ISIS and saving that money to behead children. I
could be a mean SOB and just destroy your data outright. Am I those things? No. I just need the money to live off of (true story) and don't give a f***
[redacted] about the hacker "community". So there isn't anyone you will be protecting by sacrificing yourself. I'll just encrypt more people's data to make up for the loss.
So you have your instructions. I'll even tell you how you could have prevented this:
* Install a good antivirus and keep it up to date. This is basically where you fell down.
* Don't click on any file from the internet that isn't a piece of data like (jpg, txt, doc) or you better really know where that file came from.
* Back up your data in case the encryption thief visits you :P
Better luck to you in the future.
Неполный список файловых расширений, подвергающихся шифрованию:
.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp (59 расширений).
См. также технические подробности в Pompous (SkidLocker) Ransomware.
Степень распространённости: низкая.
Подробные сведения собираются.