(databases,backups, large excel sheets, etc.)
The total size of files must be less than 10Mb (non archived), and files should not contain valuable information.
Airmail cc for free#
After payment we will send you the decryption tool that will decrypt all your files.īefore paying you can send us up to 5 files for free decryption. The price depends on how fast you write to us. In case of no answer in 24 hours write us to these have to pay for decryption in Bitcoins.
If you want to restore them, write us to the e-mail this ID in the title of your message – This is the ransom note that the will show to its victims:Īll your files have been encrypted due to a security problem with your PC. The victims of this ransomware will be asked to contact the cyber criminals via the email address.
Airmail cc how to#
Once the ransomware has encrypted the files on your computer, it will display the “FILES ENCRYPTED.txt” text file that contains the ransom note and instructions on how to contact the authors of this ransomware. When these files are detected, the ransomware will encrypt them and change their extension to so that you are no longer able to be open them. (Disclaimer: Kindly use the link for research purposes only and be careful while accessing the link.The ransomware will scan your computer for images, videos, and important productivity documents and files such as. The Network Intelligence team received a DearCry ransomware sample from.Network Intelligence strongly recommends immediately updating all Microsoft Exchange Servers to the latest available patches released by Microsoft. Hence, prevention continues to be the best cure for this threat. For decryption, paying the threat actors is the only option. It is a typical example of how threat actors take advantage of newly disclosed vulnerabilities to make easy money.Īs of this blog’s publishing date, there are no publicly known weaknesses of DearCry ransomware that can help victims get back their files.
If you want to decrypt, please contact or please send me the following hash!ĭearCry is reasonably simple ransomware leveraging the ProxyLogon vulnerabilities of Microsoft Exchange Servers. Readme.txt Associated DearCry ransom note text Figure 6 Ransom Note DearCry / DoejoCrypt IOCsĭuring our analysis of the DearCry ransomware sample, the following IOCs were extracted. The victim will need to contact the Threat Actor (TA) by sending an email containing the hash values to the specified email address. The note contains two email addresses of the threat actor and a unique hash value. Post encryption of the files on the user system, the user is presented with a ransom note named “readme.txt,” which is saved on the victim’s desktop. Post the encryption process, the encrypted files will have the “.CRYPT” extension appended to them. (See Figure 4) Figure 4 Encrypted File header It also modifies the file headers and prepends “DEARCRY!” string at the start of the file header. Upon execution, DearCry starts encrypting files with the extension defined in Figure (2) on the victim’s system using AES-256 and RSA-2048 encryption algorithms. Here the PDB path points to a username John (See Figure 3) Figure 3 PDB Path We also found a Program Database (PDB) path during our analysis which most likely belongs to the threat actor’s system in which the ransomware was created. (See Figure 2) Figure 2 List of file extensions (See Figure 1) Figure 1 RSA-2048 Public KeyĪs we delved deeper into the malware, we found the list of file extensions that the ransomware will encrypt.
Airmail cc code#
Here, we have used IDA tool, a multi-platform, multi-processor disassembler that translates machine-executable code into assembly language source code for debugging and reverse engineering.ĭuring our analysis, we were able to get our hands on the RSA-2048 public key of the Threat actor. DearCry ransomware uses two encryption algorithms – AES-256 for encryption of files and RSA-2048 public key to encrypt the AES key.
0 kommentar(er)
