Blocked Transaction. Case No 38774290

Am Sonntag, den 13. März 2016 wurde durch unbekannte Dritte die folgende E-Mail in englischer Sprache versendet:

20160313_blocked_transaction

The Automated Clearing House transaction (ID: 38774290), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID 22913
Transaction Amount 790,52 USD
Sender e-mail [email protected]
Reason of Termination See attached statement

 

 

Als Betreff werden unterschiedliche Nummern verwendet wie z. B.

  • Blocked Transaction. Case No 38774290
  • Blocked Transaction. Case No 59144960
  • Blocked Transaction. Case No 46836316
  • Blocked Transaction. Case No 24386722
  • Blocked Transaction. Case No 00912905
  • Blocked Transaction. Case No 06338247
  • Blocked Transaction. Case No 05641980
  • Blocked Transaction. Case No 21116457
  • Blocked Transaction. Case No 59958070
  • Blocked Transaction. Case No 94722401

 

Auch der Absender ist unterschiedlich. Es kommen Namen vor wie z. B.

  • Jay tateham
  • Candace gown
  • Kendrick clements
  • Carolyn kinlay
  • Melva swidenbak
  • Jocelyn tweddell
  • Laura winster
  • Phyllis hammond
  • Mona petersen
  • Sue summerfield

 

Die E-Mail enthält eine .zip-Datei mit Namen wie z. B.

  • details_38774290.zip
  • confirm_59144960.zip
  • warning_46836316.zip
  • incorrect_operation_94722401.zip
  • statistic_59958070.zip
  • warning_21116457.zip
  • details_05641980.zip
  • problem_06338247.zip
  • document_00912905.zip
  • details_24386722.zip

 

Darin sind .js-Dateien mit Namen wie z. B.

  • mail_zjbcam.js
  • Post_Tracking_Label_id00-813569462#.js
  • Post_Parcel_Confirmation_id00-640354350#.js
  • Post_Shipment_Confirmation_id00-654476813#.js
  • Post_Shipment_Case_id00-589375752#.js
  • Post_Tracking_Label_id00-016862374#.js
  • Post_Parcel_Case_id00-363392431#.js
  • Post_Parcel_Case_id00-253469525#.js
  • Post_Shipment_Label_id00-688819642#.js
  • Post_Tracking_Case_id00-070273948#.js
  • Post_Tracking_Case_id00-988932985#.js
  • Post_Tracking_Confirmation_id00-652199896#.js
  • Post_Tracking_Label_id00-380016533#.js
  • Post_Parcel_Label_id00-121193371#.js
  • Post_Parcel_Confirmation_id00-735853540#.js
  • Post_Tracking_Confirmation_id00-513195764#.js
  • Post_Parcel_Label_id00-916030516#.js
  • Post_Shipment_Case_id00-722040128#.js
  • Post_Tracking_Case_id00-501070307#.js
  • Post_Tracking_Confirmation_id00-789516949#.js
  • Post_Shipment_Label_id00-485357140#.js
  • Post_Parcel_Confirmation_id00-700941596#.js
  • Post_Tracking_Case_id00-550299319#.js
  • Post_Shipment_Confirmation_id00-734223363#.js
  • Post_Parcel_Case_id00-085046146#.js
  • Post_Shipment_Label_id00-436290447#.js
  • Post_Tracking_Label_id00-993809340#.js
  • Post_Parcel_Label_id00-611695718#.js
  • Post_Tracking_Label_id00-503290854#.js
  • Post_Tracking_Confirmation_id00-650707336#.js
  • Post_Tracking_Confirmation_id00-936933078#.js
  • Post_Parcel_Label_id00-997820706#.js
  • Post_Tracking_Confirmation_id00-826779258#.js

enthalten.

 

Diese Dateinamen kamen am gleichen Tag auch in der E-Mail „Debt #88663 , Customer Case Nr.: 715 Von Finance Department“ vor. Es handelt sich ebenfalls um den Verschlüsselungs- und Erpressungstrojaner TeslaCrypt, der von den gleichen Domain geladen wird.

ohelloguyff.com

ohelloguyzzqq.com

ohelloguyqq.com

 

Als Datei legt er sich z. B. als delegateCount.scr, location.scr, not.scr, pipe.scr, propFix.scr, thead.scr oder wrapInner.scr ab. Nach der Ausführung wird eine entsprechende Meldung angezeigt:

png-Bild:

20160313_blocked_jpg

 

HTML-Seite:

20160313_blocked_html

 

Text-Datei:

NOT YOUR LANGUAGE? USE https://translate.google.com

What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server

What do I do ?
So , there are two ways you can choose: wait for a miracle and get your price doubled , or start obtaining BITCOIN NOW !!!!! , and restore your data easy way
If You have really valuable data, you better not waste your time, because there is no other way to get your files , except make a payment

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below
* http:// t54ndnku456ngkwsudqer.wallymac[.]com/***
* http:// po4dbsjbneljhrlbvaueqrgveatv.bonmawp[.]at/***
* http:// hrfgd74nfksjdcnnklnwefvdsf.materdunst[.]com/***
If for some reasons the addresses are not available, follow these steps
* Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
* After a successful installation, run the browser
* Type in the address bar: xlowfznrg4wf7dli.onion/***
* Follow the instructions on the site

IMPORTANT INFORMATION
Your personal pages
http:// t54ndnku456ngkwsudqer.wallymac[.]com/***
http:// po4dbsjbneljhrlbvaueqrgveatv.bonmawp[.]at/***
http:// hrfgd74nfksjdcnnklnwefvdsf.materdunst[.]com/***

 

Der Link kann sowohl in englisch wie auch in deutsch aufgerufen werden:

20160313_blocked_en

20160313_blocked_de

 

Die Täter fordern 500 USD:

20160313_blocked_500bitcoin

Kommentar(e)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.