Changes in Your Booking Nr:88297
Am Montag, den 04. April 2016 wurde durch unbekannte Dritte die folgende E-Mail in englischer Sprache versendet:
There has been some important change in your booking Nr:88297. Please review the confirmation below.
In der E-Mail mit dem Betreff „Changes in Your Booking Nr:88297“ von Romany Ives ist ein ZIP-Archiv wie z. B. (Benutzername)_copy_863808.zip beigefügt. Dieses enthält ein JavaScript.
Das JavaScript lädt von einem Server den Verschlüsselungs- und Erpressungstrojaner TeslaCrypt nach. Virustotal zeigt für die nachgeladene Datei eine Erkennungsrate von 16/56.
Nach der Verschlüsselung wird die typische Meldung angezeigt:
PNG
HTML
Text
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!NOT YOUR LANGUAGE? USE https://translate.google.com
What’s the matter with your files?
Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem)What exactly that means?
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!It means that on a structural level your files have been transformed . You won’t be able to use , read , see or work with them anymore .
In other words they are useless , however , there is a possibility to restore them with our help .What exactly happened to your files ???
*** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private.
*** All your data and files were encrypted by the means of the public key , which you received over the web .
*** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers.#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!What should you do next ?
There are several options for you to consider :
*** You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or
*** You can start getting BitCoins right now and get access to your data quite fast .
In case you have valuable files , we advise you to act fast as there is no other option rather
than paying in order to get back your data.In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below :
http:// h3ds4.maconslab[.]com/***
http:// aq3ef.goimocoa[.]at/***
http:// fl43s.toabolt[.]at/***If you can’t access your personal homepage or the addresses are not working, complete the following steps:
*** Download TOR Browser – http://www.torproject.org/projects/torbrowser.html.en
*** Install TOR Browser and open TOR Browser
*** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/***#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!***************IMPORTANT*****************INFORMATION********************
Your personal homepages
http:// h3ds4.maconslab[.]com/***
http:// aq3ef.goimocoa[.]at/***
http:// fl43s.toabolt[.]at/***Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/***
Your personal ID ***#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
#=%<1″%+;/ :/:.“4;9-!=“;, :=9*!
Die verlinkte Internetseite zeigt eine Geldforderung über 1,3 BitCoin bzw. etwa 500 US-Dollar:
