�� esetnod32.ru [��: �� __AiraCropEncrypted!]

�� __AiraCropEncrypted!

Mon, 19 Dec 2016 19:46:40 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� F.Wosar:
Just to add a couple of information:

There are three variants out there of the AiraCrop crap. The very first variant is supported by the decrypter currently. The author updated the ransomware shortly after, but his update was insufficient. I haven't updated the decrypter yet, but I will before Christmas. However, the third update fixes the problem of the second variant entirely by moving to a proper and secure mechanism to generate the encryption keys. This secure variant popped up for the first time around December the 8th. So if you were hit before that date, chances are I will be able to help you. In all other cases, without the private keys associated with the campaign, I, unfortunately, won't be able to help you.
-----------
https://www.bleepingcomputer.com/forums/t/629457/airacrop-nmoreira-ransomware-support-topic-airacropencrypted-maktub/page-6#entry4143253
19.12.2016 19:46:40, santy.

�� __AiraCropEncrypted!

Mon, 19 Dec 2016 04:55:17 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� AiraCropEncrypted! �� Emsisoft
Emsisoft Decrypter for NMoreira
https://decrypter.emsisoft.com/nmoreira
19.12.2016 04:55:17, santy.

�� __AiraCropEncrypted!

Mon, 31 Oct 2016 05:22:53 +0300

�� __AiraCropEncrypted! NMoreira � �� .

====quote====
POUL UILIAMSON ��:
� �� QQ123.EXE ?
=============
�� , �� ,
�� safety@chklst.ru � �� infected - ��

�� ,
https://www.virustotal.com/ru/file/3ff1f63dcc7e87a837304e1e5d75fb84717b2adefa45c89b130dbc705f0492b4/analysis/
�.� �� .
31.10.2016 05:22:53, santy.

�� __AiraCropEncrypted!

Mon, 31 Oct 2016 01:58:36 +0300

�� __AiraCropEncrypted! NMoreira � �� .
� �� QQ123.EXE ?
31.10.2016 01:58:36, POUL UILIAMSON.

�� __AiraCropEncrypted!

Sun, 30 Oct 2016 17:59:10 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� (� ��) ��, �� .
exe, com, cmd, js, vbs, bat
30.10.2016 17:59:10, santy.

�� __AiraCropEncrypted!

Sun, 30 Oct 2016 17:36:03 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� ?
30.10.2016 17:36:03, POUL UILIAMSON.

�� __AiraCropEncrypted!

Sun, 30 Oct 2016 15:00:51 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� , �� R-studio, getdataback
30.10.2016 15:00:51, santy.

�� __AiraCropEncrypted!

Sun, 30 Oct 2016 10:47:46 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� ?
30.10.2016 10:47:46, POUL UILIAMSON.

�� __AiraCropEncrypted!

Sat, 29 Oct 2016 08:31:34 +0300

�� __AiraCropEncrypted! NMoreira � �� .
��, �� .
�� , �� .
�� .
29.10.2016 08:31:34, santy.

�� __AiraCropEncrypted!

Fri, 28 Oct 2016 20:57:40 +0300

�� __AiraCropEncrypted! NMoreira � �� .
� �� ?
28.10.2016 20:57:40, POUL UILIAMSON.

�� __AiraCropEncrypted!

Fri, 28 Oct 2016 14:53:43 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� , �� .
�� .

��
http://id-ransomware.blogspot.ru/2016/10/airacrop-ransomware.html

�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v3.87.7 [http://dsrt.dyndns.org]
;Target OS: NTv6.1
OFFSGNSAVE
ZOO %SystemRoot%\FONTS\QQ123.EXE
delall %SystemRoot%\FONTS\QQ123.EXE
deltmp
delnfr
restart

=============
��, �� .
------------
28.10.2016 14:53:43, santy.

�� __AiraCropEncrypted!

Fri, 28 Oct 2016 13:23:16 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� :
�� ?
�� - �� .
https://malwr.com/analysis/N2VjMjFhYjkwODRkNDJhNmEyNjljYWZiODU5YzAyZjI/
https://www.herdprotect.com/qq123.exe-51c06e49e1c8ee61f93e8a2d27f5369612309c60.aspx

====quote====
�� C:\WINDOWS\FONTS\QQ123.EXE
�� QQ123.EXE
��. �� ?��? ��

��
�� debug [�� 64(64), ��. �� 8, �� 64]

www.virustotal.com 2016-10-27
- �� .

��
IMAGE FILE EXECUTION.EXE (�� ~ \IMAGE FILE EXECUTION OPTIONS\)(1) OR (�� ~ .EXE\DEBUGGER)(1) [auto (0)]

��
��
File_Id 4FD34D7533000
Linker 9.0
�� 99064 ��
�� 14.10.2016 � 11:55:55
�� 08.05.2013 � 02:29:38
��

TimeStamp 09.06.2012 � 13:19:49
EntryPoint +
OS Version 5.0
Subsystem Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL -
IMAGE_FILE_EXECUTABLE_IMAGE +
�� WINRAR.SFX
�� 32-� ��
��. ��

��
�� (��)
�� "��" �� "��" [�� ]
��

��. ��
SHA1 51C06E49E1C8EE61F93E8A2D27F5369612309C60
MD5 C4D0C458DCE6B802EA946A857FA2EA12

��
�� HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger
=============

28.10.2016 13:23:16, santy.

�� __AiraCropEncrypted!

Fri, 28 Oct 2016 12:57:25 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� http://rgho.st/6PqwLx9Gt
�� !
� �� ! �� !
28.10.2016 12:57:25, POUL UILIAMSON.

�� __AiraCropEncrypted!

Wed, 26 Oct 2016 05:04:16 +0300

�� __AiraCropEncrypted! NMoreira � �� .
@POUL UILIAMSON,
�� ? �� .
+
�� .
26.10.2016 05:04:16, santy.

�� __AiraCropEncrypted!

Wed, 26 Oct 2016 00:20:13 +0300

�� __AiraCropEncrypted! NMoreira � �� .
��-�� .
26.10.2016 00:20:13, mike 1.

�� __AiraCropEncrypted!

Tue, 25 Oct 2016 20:16:16 +0300

�� __AiraCropEncrypted! NMoreira � �� .
�� :
�� ".__AiraCropEncrypted!" �� How to decrypt your files � ��
Encrypted Files!

All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.

Making it impossible to recover the files without the correct private key.

If you are interested in getting is key, and retrieve your files

visit one of the link and enter your key;

https://6kaqkavhpu5dln6x.onion.to/

https://6kaqkavhpu5dln6x.onion.link/

https://mvy3kbqc4adhosdy.onion.to/

https://mvy3kbqc4adhosdy.onion.link/

Alternative link:

http://6kaqkavhpu5dln6x.onion

http://mvy3kbqc4adhosdy.onion

To access the alternate link is mandatory to use the TOR browser available on the link

https://www.torproject.org/download/download

Key:

D0809D7FF155EDB518345504C73B507C7A57E23B60D17DEE9F54C27D7143B3B7

��

https://cloud.mail.ru/public/HcgU/439QmUCYR

https://cloud.mail.ru/public/Mhhg/2iTRvVgVt
25.10.2016 20:16:16, POUL UILIAMSON.

����� esetnod32.ru [����: ����� ����������� � ����������� __AiraCropEncrypted!]

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

����� ����������� � ����������� __AiraCropEncrypted!

�� esetnod32.ru [��: �� __AiraCropEncrypted!]

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!

�� __AiraCropEncrypted!