Your account ID:88027 has been suspended.

Am Montag, den 21. März 2016 wurde durch unbekannte Dritte die folgende E-Mail in englischer Sprache versendet:

20160321_your_account_has_been_suspended

Your bank account associated with the ID:88027 has been suspended because of the unusual activity connected to this account and a failure of the account holder to pay the taxes on a due date.

Your debt: – 528,33 USD

For more details and the information on how to unlock your account please refer to the document attached.

 

 

In der E-Mail werden unerschiedliche IDs sowie unterschiedliche Beträge genannt. Auch als Absender kommen unterschiedliche Namen vor wie z. B.

  • Billie anderson
  • Darcy dryden
  • Emilia aikman
  • Fannie bracegirdle
  • Jacqueline neale
  • Jerold Iovett
  • Juana ryder
  • Lydia thimbleby
  • Lavonne scrivens
  • Lucile supierz
  • Margaret brannon
  • Regina brunton
  • Shannon hatchard
  • Shawna watters
  • Sybil worsham
  • Trinidad sherard
  • Waldo turney

 

Je nach verwendeter E-Mail-Adresse kann es sogar sein, dass eine Meldung über einen angeblichen Virenscan in der E-Mail enthalten ist:

20160321_your_account_has_been_suspended2

Your bank account associated with the ID:29395 has been suspended because of the unusual activity connected to this account and a failure of the account holder to pay the taxes on a due date.

Your debt: – 439,40 USD

For more details and the information on how to unlock your account please refer to the document attached.

——————————————————————————–
Este mensaje no contiene virus ni malware porque la protección de avast! Antivirus está activa.

 

Der E-Mail sind .zip – Dateien beigefügt. Diese lauten z. B.

  • access_77621298.zip
  • confirm_73053593.zip
  • doc_details_840545782.zip
  • document_17876039.zip
  • letter_27053081.zip
  • operation_32818614.zip
  • problem_48101868.zip
  • readme_45860370.zip
  • scan_80609828.zip
  • statistic_26858588.zip
  • warning_91358443.zip
  • warning_letter_61404346.zip
  • watch_it_00645386.zip

 

In der .zip – Datei sind .js – Dateien enthalten:

  • post_GGiyEg.js
  • mail_onTIqs.js
  • letter_CaTIkS.js
  • check_boyaUM.js
  • post_GGiyEg.js
  • doc_irJpqZ.js

 

Das JavaScript lädt von verschiedenen Domains den Verschlüsselungs- und Erpressungstrojaner TeslaCrypt in der neuen Version 4.0 herunter. Während bei Version 3.0 noch alle Dateien in .mp3 umbenannt worden sind, belässt TeslaCrypt 4.0 die Dateinamen.

Virustotal zeigt für die .exe – Datei eine Erkennungsrate von 5/56.

 

Nach der Verschlüsselung der Dateien wird die typische Meldung angezeigt

20160321_your_account_png

 

20160321_your_account_html

 

NOT YOUR LANGUAGE? USE https://translate.google.com

What’s the matter with your files?

Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem)

What exactly that means?

It means that on a structural level your files have been transformed. You won’t be able to use, read, see or work with them anymore.
In other words they are useless, however, there is a possibility to restore them with our help.

What exactly happened to your files?

*** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private.
*** All your data and files were encrypted by the means of the public key, which you received over the web.
*** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers.

What should you do next?

There are several options for you to consider:
1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or
2. You can start getting BitCoins right now and get access to your data quite fast.
In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data.

In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below:
http:// vewrb.italisumo[.]at/***
http:// gwbak.nickymaru[.]com/***
http:// irudhkunrlfu25fhkaqw34blr5qlby4tgq43t.orrisbirth[.]com/***

If you can’t access your personal homepage or the addresses are not working, complete the following steps:
1 Download TOR Browser – http://www.torproject.org/projects/torbrowser.html.en
2 Install TOR Browser
3 Open TOR Browser
4 Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/***
5 Follow the instructions on your screen

IMPORTANT INFORMATION

Your personal homepages:
http:// vewrb.italisumo[.]at/***
http:// gwbak.nickymaru[.]com/***
http:// irudhkunrlfu25fhkaqw34blr5qlby4tgq43t.orrisbirth[.]com/***

Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/***
Your personal identification ID: ***

 

Die verlinkte Internetseite zeigt folgende Geldforderung:

20160321_your_account_web

Kommentar(e)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.