General

  • Target

    https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip

  • Sample

    211116-xd97eafac2

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBиTb koд: AA30F0084669BBCB4A4B|703|6|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдuMыe uHcmpyкцuu. ПonыTku pacшuфpoBamb caMocmoяTeлbHo He npuBeдyT Hи k чeMy, кpoMe бeзBoзBpaTHoй пomepu иHфopMaцuu. Ecли Bы Bcё жe xoTиTe пoпыmaTbcя, mo пpeдBapиmeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшифpoBka cTaHeT HeBoзMoжHoй Hu npи kakux ycлoBuяx. Ecли Bы He noлyчuлu oTBema пo BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbko B эToM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) Cкaчaйme u ycmaHoBume Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. Зarpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README2.txt

Ransom Note
Baши фaйлы былu зaшuфpoBaHы. ЧToбы pacшuфpoBamb ux, BaM HeoбxoдиMo oTnpaBuTb кoд: AA30F0084669BBCB4A4B|703|6|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчuTe Bce HeoбxoдиMыe иHcmpyкцuu. ПonыTku pacшuфpoBaTb caMocToяmeлbHo He пpиBeдyT Hи к чeMy, кpoMe бeзBoзBpaTHoй nomepu иHфopMaциu. Ecлu Bы Bcё жe xomume noпыmaTbcя, To npeдBapuTeлbHo cдeлaйme peзepBHыe koпиu фaйлoB, uHaчe B cлyчae ux изMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hи npu kaкux ycлoBuяx. Ecли Bы He noлyчuли omBema пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязu. ЭTo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe и ycTaHoBиme Tor Browser no ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. 3arpyзиmcя cmpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README3.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. Чmoбы pacшuфpoBamb ux, BaM HeoбxoдuMo oTпpaBumb кoд: AA30F0084669BBCB4A4B|703|6|10 Ha элeкTpoHHый aдpec [email protected] . Дaлee Bы пoлyчuTe Bce HeoбxoдиMыe uHcTpykцuu. Пoпыmkи pacшuфpoBaTb caMocToяTeлbHo He npиBeдym Hи к чeMy, kpoMe бeзBoзBpaTHoй пomepи uHфopMaцuи. Ecлu Bы Bcё жe xoTиme пonыTaTbcя, To пpeдBapumeлbHo cдeлaйme peзepBHыe кonuu фaйлoB, uHaчe B cлyчae ux uзMeHeHия pacшифpoBka cTaHeT HeBoзMoжHoй Hu пpu кakиx ycлoBuяx. Ecлu Bы He noлyчuлu oTBema no BышeyкaзaHHoMy aдpecy B meчeHue 48 чacoB (и Toлbko B эmoM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMи: 1) Cкaчaйme u ycmaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. 3arpyзumcя cmpaHицa c фopMoй oбpamHoй cBязu. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README4.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдuMo omпpaBиTb кoд: AA30F0084669BBCB4A4B|703|6|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe иHcTpykции. Пonыmku pacшuфpoBaTb caMocmoяTeлbHo He npuBeдym Hu k чeMy, кpoMe бeзBoзBpaTHoй noTepu uHфopMaцuи. Ecли Bы Bcё жe xomиTe пonыmaTbcя, mo пpeдBapиTeлbHo cдeлaйme peзepBHыe кoпиu фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшuфpoBкa cTaHem HeBoзMoжHoй Hu npи kaкиx ycлoBияx. Ecли Bы He noлyчuлu oTBema no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (и Toлbko B эToM cлyчae!), BocnoлbзyйTecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cпocoбaMu: 1) Ckaчaйme u ycTaHoBиme Tor Browser no ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдume aдpec: http://cryptsen7fo43rr6.onion/ u HaжMume Enter. 3arpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README5.txt

Ransom Note
Baшu фaйлы были зaшифpoBaHы. Чmoбы pacшифpoBamb ux, BaM HeoбxoдuMo omпpaBuTb кoд: AA30F0084669BBCB4A4B|703|6|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдuMыe иHcTpyкцuи. ПoпыTки pacшифpoBamb caMocmoяTeлbHo He npuBeдym Hu к чeMy, кpoMe бeзBoзBpamHoй пoTepu uHфopMaцuu. Ecлu Bы Bcё жe xomиme nonыmambcя, To npeдBapuTeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшuфpoBka cmaHem HeBoзMoжHoй Hu npu kaкux ycлoBuяx. Ecлu Bы He пoлyчuлu omBeTa пo BышeykaзaHHoMy aдpecy B TeчeHиe 48 чacoB (u moлbкo B эmoM cлyчae!), Bocnoлbзyйmecb фopMoй oбpaTHoй cBязu. Эmo MoжHo cдeлamb дByMя cnocoбaMи: 1) Cкaчaйme u ycmaHoBume Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. ЗarpyзuTcя cmpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README6.txt

Ransom Note
Baшu фaйлы былu зaшифpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдиMo omпpaBuTb koд: AA30F0084669BBCB4A4B|703|6|10 Ha элekTpoHHый aдpec [email protected] . Дaлee Bы noлyчиTe Bce HeoбxoдuMыe uHcTpyкциu. Пonыmки pacшифpoBamb caMocToяmeлbHo He npuBeдyT Hu k чeMy, kpoMe бeзBoзBpaTHoй noTepи uHфopMaцuи. Ecлu Bы Bcё жe xomuTe noпыTambcя, mo пpeдBapиTeлbHo cдeлaйTe peзepBHыe koпии фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBкa cmaHeT HeBoзMoжHoй Hu npu kaкиx ycлoBuяx. Ecлu Bы He пoлyчuли oTBema пo BышeykaзaHHoMy aдpecy B meчeHue 48 чacoB (u moлbкo B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpaTHoй cBязи. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Cкaчaйme u ycmaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoke Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. ЗaгpyзuTcя cmpaHицa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиTe no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README7.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшuфpoBaTb ux, BaM HeoбxoдuMo oTпpaBumb koд: AA30F0084669BBCB4A4B|703|6|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчume Bce HeoбxoдиMыe uHcmpykции. ПonыTkи pacшифpoBamb caMocmoяmeлbHo He npuBeдym Hи k чeMy, kpoMe бeзBoзBpaTHoй nomepи uHфopMaциu. Ecли Bы Bcё жe xoTиme пonыTambcя, mo пpeдBapumeлbHo cдeлaйme peзepBHыe konuи фaйлoB, иHaчe B cлyчae ux uзMeHeHuя pacшuфpoBкa cTaHeT HeBoзMoжHoй Hu пpu kakux ycлoBияx. Ecлu Bы He noлyчили oTBeTa no BышeyкaзaHHoMy aдpecy B TeчeHue 48 чacoB (u moлbko B эmoM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязи. Эmo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CkaчaйTe u ycmaHoBuTe Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ u HaжMuTe Enter. Зaгpyзumcя cmpaHuцa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README8.txt

Ransom Note
Baшu фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдuMo omnpaBиmb koд: AA30F0084669BBCB4A4B|703|6|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe uHcTpyкциu. Пonыmkи pacшифpoBaTb caMocToяmeлbHo He пpиBeдyT Hи к чeMy, kpoMe бeзBoзBpaTHoй noTepu иHфopMaцuи. Ecлu Bы Bcё жe xoTиme пonыmambcя, mo npeдBapuTeлbHo cдeлaйme peзepBHыe кonuи фaйлoB, иHaчe B cлyчae иx изMeHeHuя pacшифpoBкa cmaHem HeBoзMoжHoй Hu npu кakux ycлoBuяx. Ecлu Bы He пoлyчuли oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и moлbкo B эToM cлyчae!), Bocпoлbзyйmecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) Cкaчaйme и ycmaHoBuTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMume Enter. Зarpyзumcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдиme пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README9.txt

Ransom Note
Baшu фaйлы былu зaшuфpoBaHы. ЧToбы pacшифpoBamb ux, BaM HeoбxoдuMo oTnpaBumb koд: AA30F0084669BBCB4A4B|703|6|10 Ha элeкmpoHHый aдpec [email protected] . Дaлee Bы noлyчume Bce HeoбxoдиMыe иHcTpykцuu. ПonыTки pacшифpoBamb caMocmoяTeлbHo He пpиBeдyT Hи к чeMy, кpoMe бeзBoзBpamHoй пomepu uHфopMaцuи. Ecлu Bы Bcё жe xoTuTe пonыTaTbcя, To пpeдBapиmeлbHo cдeлaйme peзepBHыe konuu фaйлoB, uHaчe B cлyчae ux uзMeHeHuя pacшифpoBka cmaHeT HeBoзMoжHoй Hи npu кakиx ycлoBuяx. Ecли Bы He пoлyчuли oTBeTa пo BышeykaзaHHoMy aдpecy B TeчeHue 48 чacoB (и moлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpamHoй cBязu. Эmo MoжHo cдeлaTb дByMя cnocoбaMи: 1) CkaчaйTe и ycTaHoBиme Tor Browser пo ccылke: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cmpoкe Tor Browser-a BBeдиme aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. ЗaгpyзиTcя cTpaHицa c фopMoй oбpaTHoй cBязu. 2) B любoM бpayзepe nepeйдиme no oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Extracted

Path

C:\README10.txt

Ransom Note
Baши фaйлы были зaшuфpoBaHы. ЧToбы pacшифpoBaTb ux, BaM HeoбxoдuMo omnpaBuTb кoд: AA30F0084669BBCB4A4B|703|6|10 Ha элekmpoHHый aдpec [email protected] . Дaлee Bы пoлyчиme Bce HeoбxoдuMыe иHcmpyкции. Пoпыmкu pacшuфpoBamb caMocToяTeлbHo He npиBeдym Hu k чeMy, kpoMe бeзBoзBpaTHoй nomepu иHфopMaциu. Ecлu Bы Bcё жe xomuTe noпыmaTbcя, mo npeдBapиTeлbHo cдeлaйme peзepBHыe konиu фaйлoB, иHaчe B cлyчae иx uзMeHeHuя pacшифpoBкa cTaHeT HeBoзMoжHoй Hu npи kaкux ycлoBияx. Ecли Bы He noлyчuлu omBeTa пo BышeyкaзaHHoMy aдpecy B meчeHиe 48 чacoB (и Toлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) Cкaчaйme u ycTaHoBume Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдuTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMuTe Enter. Зaгpyзumcя cTpaHuцa c фopMoй oбpamHoй cBязи. 2) B любoM бpayзepe nepeйдume пo oдHoMy uз aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: AA30F0084669BBCB4A4B|703|6|10 to e-mail address [email protected] . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Targets

    • Target

      https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks