Ransomware

From Leo's Notes
Last edited on 29 May 2019, at 03:38.

Mirai

A workstation from work got hit by a ransomware and encrypted everything accessible by the user on the local disk but not network shares. Each directory that was encrypted contained a file #RECOVERY_FILES#.txt with the following contents:

!!!YOUR FILES ENCRYPTED !!!
Contact us:
mirai@horsefucker.org
And tell us your unique ID
8sUJhVSslVJAcF2PZoRTzx+r5lOBYrSzS3xdQB4T1d+Xidbd+tu2RiaZq/GJzaPLYhXVu0lPesZbAOwPTCuV8lNVf1P7TlUeAd59+TSTAN36zEJIjW66MF1Q1np70/o2GIj2yD4EAAXuX5jRWG4Qz93/xk3wrxaEGuGz9Hqf0vSkETo4yyCsPeCnHVde6M3SStwMwTz4dFZnBeQez4QxkIviuhiv7mcs86iMxZ+oZuATWGaYKWqD9yI9rzP2qQy5ciJpNacDVs7f3BHrIK9fJ75BLDbdiq0oOtJpL9DRqZ07GAjofj5hWEvsLbce3aYrAJHvPlb1ULf5IShNby/lp8vqbwCToCE2bI8pwloizYzxqOKqyoa2sKTwyl1z07Wl54minh9tbXAvTxxE22prgf03hU5xQdsx/9qYk6yL9vHQDVvOQdly+tUIab9cNwcDV2lQ5t3DI21I6mRc8MML1C2aIrAcnTDHp2UaxmHbVRurdzMNqSoLm+oYRMWAMdHvstkeYdbFuQBc8w5MKXc7y9ZbLLnaCf4LslVA4xoThn4oFgY9QA746Te4oZj//t1kJoIWBo6yiXGeUbstogQGNa9ywBNT6lE+Z2B4VyFanJpv7Oi6zvYCoBCPT1miAKF+b8fHRwIUgkS9Z8dSNMyjuXLDhQOdQrW7Nz4vW8XDLVs=

Encrypted files were renamed with a .mirai extension.