Jump to content

Megalocker Virus


Recommended Posts

2 hours ago, Mr_Ohrberg said:

Ok, but have there been keys added since May for the MegaLocker tool?

I'm not generally told when new keys are found and added to such a database, however I don't expect that our malware analysts would have had a chance to add many new keys.

 

2 hours ago, Mr_Ohrberg said:

Just tried to to run "decrypt_MegaLocker.exe" as admin but it wont start...?

Some Anti-Virus software may terminate it, or cause it to fail to execute.

Link to comment
Share on other sites

try to do as it is written here

On 10/18/2019 at 8:51 AM, GT500 said:

Let's try getting a diagnostic log. The instructions and download are available at the following link:
https://help.emsisoft.com/en/1735/how-do-i-use-the-emsisoft-diagnostic-tool/


It might also be useful to get logs from FRST. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

 

Link to comment
Share on other sites

On 10/27/2019 at 11:17 AM, Van said:

As I’m in the same case as many, would it  be useful for you if i send  a bundle of crypted and not crypted files to help emsisoft find more “keys” and update you’re decryption tool effective (for mega locker)?

Unfortunately that won't work with the type of encryption that MegaLocker uses. If it did, then our decrypter would allow everyone to get their files back without us needing to have their decryption keys on file first.

Link to comment
Share on other sites

  • 1 month later...
On 12/15/2019 at 11:50 AM, Mr_Ohrberg said:

So in other words, if we cant decrypt our files allready we are pretty mutch f...ed ?

There's always the possibility that law enforcement will catch the criminals behind the ransomware, however it often takes a lot of time for that to happen, especially since these are usually international criminals in cases like this.

Link to comment
Share on other sites

  • 3 months later...

I Emsisoft, attached file you will find a crypted an the uncrypted version of a picture, from my WD NAS which has been infected by MegaLocker.

I'm on a Mac computer, so I believe that it was done through Samba, the 13th of March 2019.

I don't know if it will help but, I really want to get my family pictures back, and maybe I should send the same content to Western Digital to see if they can help?

Maybe I should also share to BleepingComputer ? I don't care spending 250$ to get those pictures back, but as you recommend, I won't till I think there is kind of hope…

IMG_9541.JPG

IMG_9541.JPG.crypted

Link to comment
Share on other sites

18 hours ago, Van said:

I Emsisoft, attached file you will find a crypted an the uncrypted version of a picture, from my WD NAS which has been infected by MegaLocker.

I'm on a Mac computer, so I believe that it was done through Samba, the 13th of March 2019.

I don't know if it will help but, I really want to get my family pictures back, and maybe I should send the same content to Western Digital to see if they can help?

Maybe I should also share to BleepingComputer ? I don't care spending 250$ to get those pictures back, but as you recommend, I won't till I think there is kind of hope…

If it's Megalocker then our decrypter only works on older versions of this ransomware, as we only have keys for earlier variants of it. I've asked our malware analysts for confirmation that it's Megalocker, since ID Ransomware isn't able to identify it.

Link to comment
Share on other sites

4 hours ago, GT500 said:

If it's Megalocker then our decrypter only works on older versions of this ransomware, as we only have keys for earlier variants of it. I've asked our malware analysts for confirmation that it's Megalocker, since ID Ransomware isn't able to identify it.

Thanks GT500, I add the decrypt_instruction.txt file, it is Megalocker for sure. I just mess with the date: my NAS was crypted the 14th of march 2019. A minor issue is that I don't have a PC, so a friend of mine give me one to test and try your decrypter, but I didn't work. the other issue (or maybe a solution) my NAS has a RAID 0 (2x 2Go HDD) config. and I'm not really sure how to bypass/or try to just mount the second drive separatly to see if the files have also been crypted. I ask WD a year ago, but they never answer on how to mount the second drive individually (and access the files). Anyway thanks a lot for your answer, and maybe a last question: Is your decrypter working theorically both for NamPhu and Megalocker, or only with the NamPhu version?

extra information: I don't know if it can help but I live in switzerland, Geneva (at the time my NAS was crypted)

thanks for all, stay safe at home during this strange pandemic period

!DECRYPT_INSTRUCTION.TXT

Link to comment
Share on other sites

@Van it's definitely Megalocker. ID Ransomware can't identify it because the encrypted files have no file marker, so it requires a ransom note for identification.

The ID in your ransom note doesn't match any we have keys for, so we won't be able to decrypt your files. We were never able to obtain any more keys for Megalocker, so anything newer than our original decrypter release we can't decrypt.

Be sure to reset your NAS back to its default configuration (you may also want to flash the firmware to be on the safe side and then reset it again), and then reconfigure it. Make sure that no ports are forwarded to the NAS from your router, make sure that UPnP is disabled in your router (it is not safe), and make sure that there is no guest account configured on your NAS (if one exists then it should be possible to disable it).

Link to comment
Share on other sites

So basically, you suggest to fully erase+reset+etc... my NAS and forget about all his utilities (UPnP, guest account, and even Samba enabled, FTP, etc…) because your decryptor is actually not able to decrypt MegaLocker. I don't understand why this apparently "basic" issue look unsolvable: those 2 ransomware are pretty close, I can barely think that even they've not been made by the same guys, one is currently a copy of the other. if it's not the case, why keep suggesting that you have a decryptor for Megalocker whereas it can only work with the NamPoHyu? Change the name please, because you create more disappointment than something else

I don't understand why you suggest to erase my NAS, where I want to find a solution to get some of my data back? If you're not able to help by the end, I will look for another company to solve this issue or even pay the ransom, because Why would I spend money to protect myself from ransomware if your or any other company providing ransomware protection are not even able to understand the way victims have been "infected"? 

Thanks for you're help, but keep in mind that the prizes Emsisoft received for their efforts to fight again ransomware invasion, don't really reflect you're ability to solve the MegaLocker issue (so change the name of you're decryptor)

 

Link to comment
Share on other sites

15 hours ago, Van said:

So basically, you suggest to fully erase+reset+etc... my NAS and forget about all his utilities (UPnP, guest account, and even Samba enabled, FTP, etc…) because your decryptor is actually not able to decrypt MegaLocker.

No, my recommendation had nothing to do with our decrypter. I was recommending basic security procedures to secure your NAS device.

Some analysts believe that MegaLocker infects the NAS device in order to encrypt files and resetting the NAS device to defaults, flashing the firmware, and then resetting it again should get rid of any malicious code that has been executing on the device.

Since UPnP can be used maliciously to change settings on your router, and since your NAS may use it to ask your router to forward ports that would put it at risk, it should always be disabled.

Since the guest account on Synology NAS devices (and other similar devices that have been effected by MegaLocker) is the account that is being abused by MegaLocker when it performs its attack, this account should be disabled. Since this account is not needed to access files on your NAS, disabling it should not cause any problems with accessing your files.

Lastly, the SMB protocol is not one that is know for security or safety, and SMB ports should never be forwarded in your router to any device on your network as this allows direct attacks against those devices via the Internet.

Link to comment
Share on other sites

On 3/29/2020 at 6:39 AM, Van said:

I don't understand why this apparently "basic" issue look unsolvable: those 2 ransomware are pretty close, I can barely think that even they've not been made by the same guys, one is currently a copy of the other. if it's not the case, why keep suggesting that you have a decryptor for Megalocker whereas it can only work with the NamPoHyu? Change the name please, because you create more disappointment than something else.

They are the exact same malware, just different names; the only thing that changed was the extension. The reason we are able to decrypt MegaLocker at all is because we acquired keys from the criminal's servers. Period. They then changed servers and locked it down better, and continued attacking victims. We do not have keys for victims encrypted after that date, as only the criminals have those keys.

The crypto itself is otherwise secure and cannot be broken any other way without the keys.

Link to comment
Share on other sites

  • 3 months later...
  • 6 months later...
17 hours ago, steveassens said:

Just checking in to see if anything has happened on this? Any developments that you can provide?

Thank you for your help

I am not aware of any changes to our decrypter or any new keys being acquired.

Link to comment
Share on other sites

11 hours ago, steveassens said:

Please don't forget about this one 🤞

If there's anything we can do then we certainly will, however for the moment I think this one will be up to whether or not law enforcement can take possession of the server the criminal stored their database on.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...