[Quads]

Hi All

I can't get hold of the dropper, but the one thing I am wondering for users, is the .lnk and personal files, .jpg, .docx, .mp3 etc.

Does the ransom encrypt the files or does it move the original files to another location, maybe hidden, then create .html files in the original location like "my photo.jpg.html"

Thanks

Quads

[markusg]

can you not get file started by lnk?

[Quads]

users are saying their photos etc have changed. Are they not encrypted but instead moved and a html file created in its place.

Like part of this log I found on pastebin

1.1s C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.html
1.1s C:\ProgramData\Microsoft\User Account Pictures\user.bmp.html
1.2s C:\Users\John\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.html
1.3s C:\Users\John\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico.html
1.3s C:\Users\John\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk.html
1.3s C:\Users\John\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk.html
1.3s C:\Users\John\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk.html
1.3s C:\Users\John\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.html
1.4s C:\Users\John\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.html
1.4s C:\Users\John\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk.html
1.4s C:\Users\John\Desktop\HitmanPro - Snelkoppeling.lnk.html
1.4s C:\Users\John\Desktop\winhex\File Type Signatures Search.txt.html
1.4s C:\Users\John\Desktop\winhex\indexcha.txt.html
1.4s C:\Users\John\Desktop\winhex\user.txt.html
1.4s C:\Users\John\Links\Desktop.lnk.html
1.5s C:\Users\John\Links\Downloads.lnk.html
1.5s C:\Users\John\Links\RecentPlaces.lnk.html
1.6s C:\Users\Public\Music\Sample Music\Kalimba.mp3.html
1.8s C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.html
2.0s C:\Users\Public\Music\Sample Music\Sleep Away.mp3.html
2.1s C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.html
2.1s C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.html
2.2s C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.html
2.2s C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.html
2.2s C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.html
2.2s C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.html
2.2s C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.html
2.3s C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.html

Quads

[HackJack]

Spamhaus sample which encrypt files.......