haggard

Megalocker Virus

Recommended Posts

Ok, but have there been keys added since May for the MegaLocker tool?

 

*EDIT*

Just tried to to run "decrypt_MegaLocker.exe" as admin but it wont start...?

Im on Win 10 PRO 64Bit .

Version 1809

OS-Version 17763.805

 

Any ideas ?

Share this post


Link to post
Share on other sites
2 hours ago, Mr_Ohrberg said:

Ok, but have there been keys added since May for the MegaLocker tool?

I'm not generally told when new keys are found and added to such a database, however I don't expect that our malware analysts would have had a chance to add many new keys.

 

2 hours ago, Mr_Ohrberg said:

Just tried to to run "decrypt_MegaLocker.exe" as admin but it wont start...?

Some Anti-Virus software may terminate it, or cause it to fail to execute.

Share this post


Link to post
Share on other sites

This program does not need forced administrator rights.
You should check your PC for malware and reset Group Policy rights if they were installed without your knowledge.

Share this post


Link to post
Share on other sites

try to do as it is written here

On 10/18/2019 at 8:51 AM, GT500 said:

Let's try getting a diagnostic log. The instructions and download are available at the following link:
https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/


It might also be useful to get logs from FRST. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

 

Share this post


Link to post
Share on other sites

We have not acquired any new keys since the release of the decryptor. The criminals stopped using that server by time we got the keys, and have been infecting users from another server.

Share this post


Link to post
Share on other sites

As I’m in the same case as many, would it  be useful for you if i send  a bundle of crypted and not crypted files to help emsisoft find more “keys” and update you’re decryption tool effective (for mega locker)?

Share this post


Link to post
Share on other sites

You can use external file hosting services and give us a link to download encrypted files and other files.

But we do not know how much this will help in your case.

https://filebin.net/
https://www.filehosting.org/
http://tinyupload.com/
https://transferxl.com/
https://wetransfer.com/
http://www.yourfilelink.com/

 

Share this post


Link to post
Share on other sites
On 10/27/2019 at 11:17 AM, Van said:

As I’m in the same case as many, would it  be useful for you if i send  a bundle of crypted and not crypted files to help emsisoft find more “keys” and update you’re decryption tool effective (for mega locker)?

Unfortunately that won't work with the type of encryption that MegaLocker uses. If it did, then our decrypter would allow everyone to get their files back without us needing to have their decryption keys on file first.

Share this post


Link to post
Share on other sites
On 12/15/2019 at 11:50 AM, Mr_Ohrberg said:

So in other words, if we cant decrypt our files allready we are pretty mutch f...ed ?

There's always the possibility that law enforcement will catch the criminals behind the ransomware, however it often takes a lot of time for that to happen, especially since these are usually international criminals in cases like this.

Share this post


Link to post
Share on other sites

I Emsisoft, attached file you will find a crypted an the uncrypted version of a picture, from my WD NAS which has been infected by MegaLocker.

I'm on a Mac computer, so I believe that it was done through Samba, the 13th of March 2019.

I don't know if it will help but, I really want to get my family pictures back, and maybe I should send the same content to Western Digital to see if they can help?

Maybe I should also share to BleepingComputer ? I don't care spending 250$ to get those pictures back, but as you recommend, I won't till I think there is kind of hope…

IMG_9541.JPG
Download Image

IMG_9541.JPG.crypted

Share this post


Link to post
Share on other sites
18 hours ago, Van said:

I Emsisoft, attached file you will find a crypted an the uncrypted version of a picture, from my WD NAS which has been infected by MegaLocker.

I'm on a Mac computer, so I believe that it was done through Samba, the 13th of March 2019.

I don't know if it will help but, I really want to get my family pictures back, and maybe I should send the same content to Western Digital to see if they can help?

Maybe I should also share to BleepingComputer ? I don't care spending 250$ to get those pictures back, but as you recommend, I won't till I think there is kind of hope…

If it's Megalocker then our decrypter only works on older versions of this ransomware, as we only have keys for earlier variants of it. I've asked our malware analysts for confirmation that it's Megalocker, since ID Ransomware isn't able to identify it.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

If it's Megalocker then our decrypter only works on older versions of this ransomware, as we only have keys for earlier variants of it. I've asked our malware analysts for confirmation that it's Megalocker, since ID Ransomware isn't able to identify it.

Thanks GT500, I add the decrypt_instruction.txt file, it is Megalocker for sure. I just mess with the date: my NAS was crypted the 14th of march 2019. A minor issue is that I don't have a PC, so a friend of mine give me one to test and try your decrypter, but I didn't work. the other issue (or maybe a solution) my NAS has a RAID 0 (2x 2Go HDD) config. and I'm not really sure how to bypass/or try to just mount the second drive separatly to see if the files have also been crypted. I ask WD a year ago, but they never answer on how to mount the second drive individually (and access the files). Anyway thanks a lot for your answer, and maybe a last question: Is your decrypter working theorically both for NamPhu and Megalocker, or only with the NamPhu version?

extra information: I don't know if it can help but I live in switzerland, Geneva (at the time my NAS was crypted)

thanks for all, stay safe at home during this strange pandemic period

!DECRYPT_INSTRUCTION.TXT

Share this post


Link to post
Share on other sites

@Van it's definitely Megalocker. ID Ransomware can't identify it because the encrypted files have no file marker, so it requires a ransom note for identification.

The ID in your ransom note doesn't match any we have keys for, so we won't be able to decrypt your files. We were never able to obtain any more keys for Megalocker, so anything newer than our original decrypter release we can't decrypt.

Be sure to reset your NAS back to its default configuration (you may also want to flash the firmware to be on the safe side and then reset it again), and then reconfigure it. Make sure that no ports are forwarded to the NAS from your router, make sure that UPnP is disabled in your router (it is not safe), and make sure that there is no guest account configured on your NAS (if one exists then it should be possible to disable it).

Share this post


Link to post
Share on other sites

So basically, you suggest to fully erase+reset+etc... my NAS and forget about all his utilities (UPnP, guest account, and even Samba enabled, FTP, etc…) because your decryptor is actually not able to decrypt MegaLocker. I don't understand why this apparently "basic" issue look unsolvable: those 2 ransomware are pretty close, I can barely think that even they've not been made by the same guys, one is currently a copy of the other. if it's not the case, why keep suggesting that you have a decryptor for Megalocker whereas it can only work with the NamPoHyu? Change the name please, because you create more disappointment than something else

I don't understand why you suggest to erase my NAS, where I want to find a solution to get some of my data back? If you're not able to help by the end, I will look for another company to solve this issue or even pay the ransom, because Why would I spend money to protect myself from ransomware if your or any other company providing ransomware protection are not even able to understand the way victims have been "infected"? 

Thanks for you're help, but keep in mind that the prizes Emsisoft received for their efforts to fight again ransomware invasion, don't really reflect you're ability to solve the MegaLocker issue (so change the name of you're decryptor)

 

Share this post


Link to post
Share on other sites
On 12/15/2019 at 5:50 PM, Mr_Ohrberg said:

So in other words, if we cant decrypt our files allready we are pretty mutch f...ed ?

Did you look anyehere else to find a solution Mr_Ohrberg?

Share this post


Link to post
Share on other sites
15 hours ago, Van said:

So basically, you suggest to fully erase+reset+etc... my NAS and forget about all his utilities (UPnP, guest account, and even Samba enabled, FTP, etc…) because your decryptor is actually not able to decrypt MegaLocker.

No, my recommendation had nothing to do with our decrypter. I was recommending basic security procedures to secure your NAS device.

Some analysts believe that MegaLocker infects the NAS device in order to encrypt files and resetting the NAS device to defaults, flashing the firmware, and then resetting it again should get rid of any malicious code that has been executing on the device.

Since UPnP can be used maliciously to change settings on your router, and since your NAS may use it to ask your router to forward ports that would put it at risk, it should always be disabled.

Since the guest account on Synology NAS devices (and other similar devices that have been effected by MegaLocker) is the account that is being abused by MegaLocker when it performs its attack, this account should be disabled. Since this account is not needed to access files on your NAS, disabling it should not cause any problems with accessing your files.

Lastly, the SMB protocol is not one that is know for security or safety, and SMB ports should never be forwarded in your router to any device on your network as this allows direct attacks against those devices via the Internet.

Share this post


Link to post
Share on other sites
On 3/29/2020 at 6:39 AM, Van said:

I don't understand why this apparently "basic" issue look unsolvable: those 2 ransomware are pretty close, I can barely think that even they've not been made by the same guys, one is currently a copy of the other. if it's not the case, why keep suggesting that you have a decryptor for Megalocker whereas it can only work with the NamPoHyu? Change the name please, because you create more disappointment than something else.

They are the exact same malware, just different names; the only thing that changed was the extension. The reason we are able to decrypt MegaLocker at all is because we acquired keys from the criminal's servers. Period. They then changed servers and locked it down better, and continued attacking victims. We do not have keys for victims encrypted after that date, as only the criminals have those keys.

The crypto itself is otherwise secure and cannot be broken any other way without the keys.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.