Ransom demanded from an attacker

[K.A.T]

Has any one faced dealing with an attacker using: mushelps@gmaill.com ?



address:14LFQxeJwDWFAy4y9CvywauJ33idwDBDd6s for the attacker that demands ransom for encrypted data. His email:mushelps@gmail

http://justpaste.it/otzi

[mexxer-2]

According to blocktrail and blockchain.info , no such address exists You have an extra "s" after the actual address in the end. And the email addy returns only one result which unsurprisingly is also about viruses:

SA primarily if the subject I apologize if wrong place. Entered virus to someone with machines of the company I worked for my friend when it comes to the issue and $ 3,000 fine demanding he do this simple method or Brute-Force running programs transaxle via SFX to have become ex with all files SFX and provide an encrypted password that I appreciate if you can help it. e-mail address of the owner mushelps@gmail.co Virus  

Translated.
https://www.cyber-warrior.org/forum/sfx-sifrelenmis-yardim-lazim-_561285,0.cwx
Edit: So you paid the ransom?

[K.A.T]

This is for my brother.. who has noting to do with Bitcoins... He had to pay to get his business data. 

Bitstamp just confirmed that non of their users use this email address.... which most probably is for Multibit or something like that...

[shorena]

This is for my brother.. who has noting to do with Bitcoins... He had to pay to get his business data. 

Bitstamp just confirmed that non of their users use this email address.... which most probably is for Multibit or something like that...

Multibit is not a service, its a wallet and as such does not require an email address.

IIRC the last time[1] someone was asked to pay a bounty it turned out the data was not proberly encrypted, but I dont remember if it was found out too late or not.

[1] as in the last time there was a thread here about it I noticed.

[BillyBobZorton]

I can predict that we'll start having tons of spam email by random Nigerians asking for Bitcoin soon. "Hi im the prince of Nigeria, please deposit BTC here: (address) People is getting really getting desperate for the new gold.

[Possum577]

The official stance should be: We do not negotiate with ransom attackers using Bitcoin!

[franky1]

my post is about crappy script kiddies who try to copycat the actual cryptolock encryption scam/blackmail.

a few script kiddies have tried to scam people.. not using encryption, although their demanding 'splashscreens' pretend its encrypted..
but instead just modifying file properties and file associations..

firstly they script some code to turn .exe, .doc, .xls,   into a different .xxx file types.. eg. .encrypt
the data has not changed, but in laymans terms the file name changed

they then in the file associations change the link to .encrypt files to be associated with a basic splash screen warning,

thus the data is not touched. but if u try to open files it doesnt open the exe shell or the microsoft office programs. it opens the scam artists splashscreen.

attempts to rename the file back to .exe or .doc usually are tiresome unless you have disabled the scam artists script from running in the background first.

..


and by the way. BACK UP YOUR DATA if its sensitive or valuable.. coz the clear shot way of sorting out any blackmail of data, is to have copies saved so that you can just factory restore your computer and laugh at the blackmailers


again.. back up all data.. even if your computer is not going to ever get scammed using viruses:

it can be stolen in home invasions
family may delete files to make room for their 'selfies'
disgruntled employee's/co-workers may delete files
data corruption due to many unrelated issues
physical damage to the computer due to household/work place accidents
electric issues causing data loss
even blackouts means the data is stuck on a computer that you cant turn on..

backup-backup-backup

[ajareselde]

This type of ransomware is all over the place recently, there was an article even in my local news portal about it. People need to understand that the power of such malicious
tools is in the money they get out of the ransom, so to put it away for good, all people need to do is wipe the drives and accept loss of their data.
If everyone did that, noone would bother to spread it any more. btc who still runs untrusted executables ?!

[Meuh6879]

This type of ransomware is all over the place recently.

control your dumbass server ... and change access key every week ! not every 2 years ...

[ajareselde]

This type of ransomware is all over the place recently.

control your dumbass server ... and change access key every week ! not every 2 years ...

Yeah, your gif really describes users that have these types of intrusions. btw changing access keys won't help ignorant ones who get themselves infected anyways,
i would rather suggest caution when dealing with unknown applications, and jdb's.

[Meuh6879]

btw changing access keys won't help ignorant ones who get themselves infected anyways

at the beginning, it's the SERVER (and the guy of the website) that it fully responsable to spread the virus ... don't loose the first problem.

well, if users open a corrupted mail (exploit old navigator flaw to inject randsom ware) ... it's not a server problem.

[ajareselde]

btw changing access keys won't help ignorant ones who get themselves infected anyways

at the beginning, it's the SERVER (and the guy of the website) that it fully responsable to spread the virus ... don't loose the first problem.

well, if users open a corrupted mail (exploit old navigator flaw to inject randsom ware) ... it's not a server problem.

I believe 99% of the infected users picked up mallware from torrent files, variations of activators with binded trojans, and java drive by's,
and none of these infections can be prevented on any server side. And many of those people get infected because they trust their antivirus and firewall software too much,
which can't even detect crypted files (unless it has proactive defense that picks it up due to it's behaviour.)

[Envrin]

This scam is as old as dirt.  Before bitcoin, they would tell people to visit their local convenience store and purchase a MoneyPak card or similar, in order to "unlock" their computers.  Depends on how good the hackers are as to whether or not the info is actually encrypted / unaccessible.  If the hackers are good, you have no real choice but to pay them to unlock your data.  If they don't know what they're doing, you can probably just clean the computer and get rid of the virus yourself.

Then tell your brother to quit downloading crap, visiting porn sites, and/or opening e-mail attachments from people he doesn't know.

[OnkelPaul]

Have you looked at http://support.kaspersky.com/viruses/disinfection/8547 ?
It seems that at least for some crypto locker type trojans, Kaspersky has decryption utilities.

Of course, as others have noted, regular backups rule. Make sure that whatever happens to your computer, you can just continue with a new one (or reformatted one in a case like this.)
Making backups is like brushing your teeth: If you don't do it, you'll only realize that you should have done it when it's too late. Make it a regular exercise to back up your data!

Alas, anti-virus software can't always protect you - some trojans have ever-changing contents and behavior that makes it hard for AV software to recognize them, even with heuristics.
Brain 2.0 is a much better protection against this kind of malware - if something's smelly about an e-mail you got, even when the sender's address is one you recognize, your first suspicion is often correct.

Onkel Paul

[bill gator]

As other users have stated before it is ESSENTIAL to back-up anything that is truly important or of value twice in separate mediums.
Never let someone blackmail me you because you forgot to back-up your wallet, or other important files. It just will make you facepalm for ages.

[AtheistAKASaneBrain]

I would never have valuable information on a Windows machine. If you do, at least just copy it to an USB and a trusted cloud somewhere on the internet (prior being encrypted with a strong pass of course). I don't understand how people fall for this ransomware crap, it doesn't seem that sophistcated, just keep your stuff updated and don't click on dodgy shit.

[K.A.T]

Hi all,

thanks for the replies. Unfortunately the backup drive was connected to the server and got encrypted. It is nit a virus but a person who logged using RDP according to hos answer when we asked how did he break in.

If we had time we would not pay and try to use other methods... but the need for accounting data made the decision to pay.
He was wrong and is feeling the mistake.....

[K.A.T]

Google did not reply yet for who or where is the location this person is sending us messages.

[K.A.T]

Hi all.

Just to share, we received the reply from the attacker as shown below.

Waiting for my brother to check and decrypt. I don't know if this works or not.



---------- Forwarded message ----------
From: Jack Williams <mushelps@gmail.com>
Date: 2015-11-07 18:12 GMT+03:00
Subject: Re: Fwd: Email
To:

Hello!

Do you have process in the memory called lsassw86s.exe ? If yes , kill process lsassw86s.exe first.
Also delete c:\windows\system32\lsassw86s.exe file.

Now you can run decrypt tool.

1st Decrypt password: 145C7C3F238B235F36C19125854FC9A77A6K7)CIAu4wCUBc407T2(E3B43vEQ4q8R9I1g5b7kB*9fDzE3EwEa1+8i5N4F8)Dt4v712QB=5d0q8i0k
2st Decrypt password: 21063857F60263D5921FFD2CB9B24E569(C54l6sDI9u1v4d7C2p7dA(BDCICSCv9FCl98744MEy8&BO7p7VASEo2@EXCODQCf619-DU6gCa4q9E0u
3st Decrypt password: quu*A**$$quu*V$uLFquu*V$uLF


Decryption tool (password for the archive: 123 ):

https://www.sendspace.com/file/ex2rs1

Download it and unpack to any folder. Also program require administrative rules (use administrator account).

Run decrypt.exe .

Copy paste 1st Decrypt password, 2st Decrypt password and 3st Decrypt passwords in decrypt tool 3 fields.

If you have not stop our software - use decryption tool, because the tool will stop our software before decrypting the files.

This is very important to stop our software service (and dont delete any files in ProgramData folder before stop) because your decrypted
files may will be encrypted again.

p.s. when you will start decrypt tool it would seem as if the program hanging, but everything is fine, just wait for the message about
successful completion of decrypting and dont touch decrypt window with your mouse.

If you have any questions or troubles in decrypting feel free to contact me .


Thank You!

[S4VV4S]

How did you brother download the scam tool and run it in the first place?
Can he trace the source?