Jump to content

Recommended Posts

Been contacted by a company just hit with ransomeware.

Looks like they were hacked via remote desktop (weak password) on their server (..!)


Files are renamed to .encrypted and there's a matching *.how_to_get_back.txt for each.encrypted file.


Text in the note says:


All your data was Encrypted!
If you wanna get it back contact via email:
Your Personal ID: ********** (Removed)
WARNING: If you don't contact next 72 hours, then all DATA will be damaged unrecoverably!!!
However, have downloaded the apocalypse decrypter tool and tried a single file. The tool reports file doesn't appear to be encrypted then says "skipping file".
ID-Malware suggests it's either crypt0locker, keranger, or apocalypse - based on the .encrypted extension.
Can't be keranger (OSX), could be crypt0locker, but only ransomnotes are by text file launched on login and paired text file, which seemed typical of Apocalypse.
Any way to confirm if this is a new variant or a misidentification? Or if it's decryptable?
Link to post
Share on other sites

This may be a new Apocalypse variant.

Could you send me a copy of an encrypted file and a copy of the same file unencrypted (If available), I will make sure our crypto expert gets them for analysis.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...