haggard

Megalocker Virus

Recommended Posts

It is recommended to upload a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with to this site here:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like  one of our experts to review them.

Share this post


Link to post
Share on other sites

OK, then it was either a Linux ransomware, or someone gained access to the NAS and was able to encrypt files remotely.

I take it you don't have another backup of the files?

Share this post


Link to post
Share on other sites

Yes I think someone has encrypt these files remotely. 

Every pc who has an acces to the nas in my network, have I checked. No Ransomware was found. 

Unfornatuelly there is no backup of these files. The backups are also crypted. 

If you need, i have a crypted file and the same file unencrypted if that could help. 

Share this post


Link to post
Share on other sites
On 3/13/2019 at 10:55 AM, haggard said:

I've done this. 
The Tool tell me it is Nemucod, but with the decrypter for Nemucod I 've no chance to decrypt the files. 
Link: 
https://id-ransomware.malwarehunterteam.com/identify.php?case=2e31923342c6ba65772e39f179af1919b2bbc314

The link to your IDR results  indicates you only submitted a sample of an encrypted file with the .crypted extension which is very generic and used by several different ransomwares to include Yoshikada Decryptor (GlobeImposter variant), Nemucod, and MegaLocker. 

Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Submitting any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification.

Share this post


Link to post
Share on other sites

As IDR indicates...currently there is not enough information about MegaLocker. I am not aware of any method to decrypt files encrypted by this ransomware without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. For now you can opt-in with IDR to be emailed if any further developments are made for this particular ransomware by clicking the link under Please check back later.

In cases where there is no free decryption tool, restoring from back up is not a viable option and file recovery software does not work, the only other alternative to paying the ransom (if you can even reach the criminals to pay) is to backup/save your encrypted data as is and wait for a possible solution...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.  

 

Share this post


Link to post
Share on other sites

Unfortunately we can't know anything more about this ransomware without a copy of whatever was used to encrypt the files.

Note that it's possible the NAS was compromised in some way in order to facilitate encryption of the files, and if this is the case then it might not be safe to store any new files on it. If possible, back up all of the encrypted files, reset the settings for the NAS back to defaults, install the latest firmware update for the NAS, and then reset all settings to default again. After that you can reconfigure it and copy your encrypted files back to it if necessary.

Important: In order to prevent issues like this in the future, the NAS cannot be accessible from the Internet.

Share this post


Link to post
Share on other sites

Hi !

Some how i got this misery on my mediaserver/computer as well (Thank good i have a safe copy of all my 185Gb of pictures and videoiclips).

All other 13Tb of music and movies i decrypted... :(

Runing Windows 10 Pro with all windows defender/security enabled and showing no signs of infection what so ever, not even a offline scan showd any sign ???

https://id-ransomware.malwarehunterteam.com/identify.php?case=ce812b2a70aa9060c255c958f53d0154d1cbbac7

 

The page above said "this ransomware is still under analysis", scrolling down a bit it says "Nemucode" in a bright green window with the text "This Ransomware is decryptable".

 

But after reading your post @GT500 you say its not ?

 

And thanks for trying to help and prevent all us novise internetuser arround the world ! ;)

 

/Great Regards

Morgan O.

 

 

Share this post


Link to post
Share on other sites

ID Ransomware will provide different results according to what is submitted.  Submitting an encrypted file with a common extension used by other ransomware usually results in a false positive. That is why as I noted above,  it is important to submit both encrypted files and ransom notes together as well as any contact email addresses or hyperlinks provided by the criminals. The more information, the more accurate the results.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.