Ransomware: id-3509099450_[mk.goro@aol.com].0oxr4
UPDATE 6/8/2017: This is a CRyPTON Variant, see below.
A new variant of Dharma CryptON (CryptON 36 variant, to be precise), seems to have hit a server; here are some of the details I’ve been gathering.
Ransom Note
A file named ### DECRYPT MY FILES ###.txt is placed in each directory where encrypted files are located with the following content.
*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: mk.goro@aol.com
Your personal ID: 3509099450
Encrypted Files
Encrypted files have the following appended: .id-3509099450_[mk.goro@aol.com].0oxr4
Registry Entry
An interesting Registry entry is observed:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREWow6432NodeKJ8CvJIB1H5nRcJZ] "KJ8CvJIB1H5nRcJZd"="32B7DAEBA948B330EA098023EE44F4C003D3ADFD3D1DFEC22DEA17F1030C8C5D" "KJ8CvJIB1H5nRcJZn"="B70D46F62D9189C86EB4017E7F83B2F81AEFD85392883862DC9AF3912EA38D6311EAE04DFC9473ABB19D510AE58852F91FA6933EAA5161EE2372EEF1E033A1E857BAB9603840A6F4CEEB54AF0E4332CF1617DFBD553A99F07873DEEFC66504B1A975862171DC6D74A970FB9580C389E708C950066FFC65596DBE51AE757BE10F7AB43285511704B9F71EF0615B0203F551EDA54CEBB93BD8609C88D7129DE39390B9D88595FD9A1B460F8F3B50D2B9EEA155DBCCD2F084E88877799559D51F190667D01E0F0858B0F27EE5D0A5F64310FD731EC53F89A2C5EEDCCD999A1620BA48469D51A00A545A33CEB7563610A3D3BE65CC7B5FCCE76C7181E316BB2FE6D9" "KJ8CvJIB1H5nRcJZs"="1"
Google search for any parts of .0oxr4 comes up short as well as any of the information in the Registry key HKEY_LOCAL_MACHINESOFTWAREWow6432NodeKJ8CvJIB1H5nRcJZ
Searching for the email mk.goro@aol.com indicates this may be a ransomware that can be decrypted, according to ID Ransomware website. However, I have found nothing that works for decrypting.
I have attached two sample files, an original Informant SNMP zip file pulled from a backup as well as the encrypted file.
- Original: informant-std-17
- Encrypted (unzip): informant-std-17.zip.id-3509099450_[mk.goro@aol.com].0oxr4
Still a work in progress…
Update: 6/8/2017
Any files that are encrypted with the newest variant of CryptON (Cry9, Cry36, Cry128, X3M, Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.
There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
This is a cry36 variant and apparently not decrypted at this time, see: https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/?page=4#comment-171791
Good day, did you manage to solve something?
Thank you
PT
Hi Petr,
Not yet as far as decryption. I’ve been monitoring a couple forums to see if/when there is a decryption tool. The server was restored from backup, but I did keep an infected state image for further analysis if needed.
https://techish.net/2017/05/ransomware-id-3509099450_mk-goroaol-com-0oxr4/#update1
Did you knew any News about this topic?
I do not have an update to this at this time.
https://techish.net/2017/05/ransomware-id-3509099450_mk-goroaol-com-0oxr4/#update1
any news
https://techish.net/2017/05/ransomware-id-3509099450_mk-goroaol-com-0oxr4/#update1