leeng 0 Report post Posted July 16, 2019 Hi, My PC got inefected by ransomware, I had follow the instruction and all file are prepared. However, I dont know how to upload it. Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 16, 2019 It's simple! Here is an image. You can drag files into this window or select them by reference. Attach 2 encrypted files and a ransom note. Or use the service www.sendspace.com to upload files and give us a link to download. Download Image Do not attempt to use the removal tools that some sites in Google-search offer to delete and decrypt files. This is a lie and fakes. We will advise you real decoders (decrypters), if they exist in reality or will be updated for existing ones. Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 16, 2019 Thanks! Addition.txt FRST.txt log.txt how_to_back_files(1).html Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 17, 2019 @leeng Hello. I ask you to place the file how_to_back_files(1).html in the archive and attach it to the new message. Server protection cleared this html-file from the addresses of extortionists. Or take a screenshot of this note from extortionists and attach it. --- Logs indicate that malware is still in the system. Requires cleaning and cure. Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 17, 2019 @Amigo-A All your data has been ciphered! The only way of recovering your files is to buy a unique decryptor. A decryptor is fully automatical, all your data will be recovered within a few hours after it’s installation. For purchasing a decryptor contact us by email:[email protected] If you will get no answer within 24 hours contact us by our alternate emails:[email protected] We assure full recovery after the payment. To verify the possibility of the recovery of your files we can decipher 1 file for free. Attach 1 file to the letter (no more than 25Mb). Indicate your personal ID on the letter:20 44 81 30 49 01 D0 83 83 E3 E8 3B F3 7F 59 1C 1D E2 D3 46 C8 C4 20 31 82 B0 35 4B 6A F0 BE 85 0A 37 01 70 F9 9A 0C 0C 75 1F 32 E6 51 FD 7B DC 8E A1 54 CD 43 97 9A 41 F4 CB 90 B6 4A 6A 98 8B CD 2F 95 CA BC 1A 47 F5 3B E7 71 D8 3A 76 62 5C 3F C1 38 D4 33 F5 C3 2A 53 33 78 EB F0 2F D9 F7 73 6B 23 98 46 46 CF 26 4F DE 31 F1 56 17 99 8E 14 A2 80 F4 E0 A7 DB C3 56 90 53 9A B8 ED CF E1 7F E2 3C 91 A3 05 CC AC BD 0E CC B2 9B BF 99 BE C1 2D A4 97 97 11 C1 30 6D 5E 1A 41 97 91 4A 94 58 D5 1F 8E 67 77 CD 0F 13 E8 32 C3 E8 62 6C DB 2E 74 5A D6 E0 86 76 4C 0C 1D 56 25 8A CD FB 82 D4 03 1A 8A 2E 05 E9 5B A9 FA 79 EF F1 13 3E 06 40 47 CA C9 62 BF C2 7F A4 42 66 7F 9F 3F 87 D2 47 F6 BF FB A4 63 82 12 30 B3 16 FB 8B 1C 8F 11 48 E3 65 96 04 61 A4 74 DD 2E D5 23 BC 7B 20 3D . In reply we will send you an deciphered file and an instruction for purchasing an automatical decryptor for all your files. After the payment we will send you a decryptor and an instructions for protecting your computer from network vulnerabilities.. Attention! Only [email protected], [email protected] can decipher all your files. Launching of antivirus programs will not help. Changing ciphered files will result in a loose of data. Attempts of deciphering by yourself will result in a loose of data. Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data. how_to_back_files(1).html Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 17, 2019 ScreenShot attached Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 17, 2019 Thank you! This is new variant of Maoloa Ransomware It attacks users in China and some other countries.Maoloa imitate a notes of GlobeImposter Ransomware and encrypts files. Until now, all antivirus engines recognize Maoloa as GlobeImposter. We are making an effort, sending new samples so that the detection change. So far, only in ESET and Ikarus detections have changed on names as Maoloa. Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 17, 2019 @Amigo-A Thanks for the quick respond. Is there an solution for this Maoloa ransomware? Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 17, 2019 Unfortunately, it is still poorly researched. Specialists are working on this Ransomware. The result is still not known. If something changes, for example, experts make decryptor, then there will be information message in my article. I keep track of all the options that I can find and send them to VirusTotal for AVs. Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 17, 2019 @Amigo-A They locked some really Important files of mine, Is there a service I can hire somewhere to code an decrypter? Else, sadly there wont be an option but paying these criminals Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 17, 2019 Your logs indicate that malware is still in the system. Requires cleaning and cure. You will be answered by service support specialists to fix the virus infection. Stay on topic, maybe a bit later you will be given instructions for correction. Otherwise, encryption or other threat may be reactivated. Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 17, 2019 Encrypted files are best collected in one place. So far there are no other solutions besides our research. No anti-virus company took over the decryption of files after this extortionist. There are many sites on the Internet that offer one “super” solution for all cases, but as you must understand, this is a hoax and fakes. I check and track all known decrypt-experts and they track my information. Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 17, 2019 @Amigo-A That's unfortunate, thanks anyway!! Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 17, 2019 deleted Quote Share this post Link to post Share on other sites
leeng 0 Report post Posted July 17, 2019 Most Ransomware duplicate file and encrypted the duplicate file. After virus delete the original files. Does that mean we can recover it back from HDD? Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 17, 2019 Different ransomwares use different methods. They can create copies of files, encrypt them, and delete originals. But they can wipe the originals, fill with nulls or garbage. Others can rename files, and then do with them what I said above. Others do not encrypt the entire file. Others fill part of the file with junk, and encrypt important information. These are not all methods. Only the easiest way, when copies of files are created, encrypted, and then the originals are deleted, can help restore files to about 80-90% of the total. A small part will still be unreadable or broken into pieces of Windows itself, due to the features of the file system and the operation of Windows with sectors and files. If you want to try to recover something, then in order not to make standard mistakes, follow these my recommendations. Important conditions for data recovery: - the program, that will restore the data, must be on another disk; - the disk, on which the program will run, should have a lot of free space; - on the same disk, you must create a folder in advance for save the recovered information. - the disk, from which you want to recover data, must be connected to the PC as second; - the PC, on which work data recovery, probably, will work for many hours without shutting down. Quote Share this post Link to post Share on other sites
Amigo-A 135 Report post Posted July 18, 2019 Tell us the results later. Quote Share this post Link to post Share on other sites
