Please merge this post if a topic including this type of ransomware already exists. I have seen this on a couple of customers computers over the last few days. This ransomware encrypts doc, pdf, jpg, rar, zip, etc and makes them all html files. Attached is a sample of one of the files.
It directs to the following site:
Uses a UID from the PC as an argument when connecting to the page and displays content only when the UID is given.
I do not have a sample of the dropper yet, I'll post one as soon as I find it.
Here is a screenshot of what the user sees when attempting to open a file:
Code: Select all
Domain ID:D7317677-AFIN Domain Name:MBLBLOCK.IN Created On:08-May-2013 17:06:06 UTC Last Updated On:08-May-2013 17:06:07 UTC Expiration Date:08-May-2014 17:06:06 UTC Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant ID:WIQ_27797905 Registrant Name:Gerald Minhelm Registrant Organization:N/A Registrant Street1:176 reroad Registrant City:Vegas Registrant State/Province:LA Registrant Postal Code:15781 Registrant Country:US Registrant Phone:+1.1005520281 Registrant Email:firstname.lastname@example.org