Tag Archive for: decryption

MrB Ransomware (.mrB Files) – Analysis & File Decryption – Gridinsoft Blog

/in


MrB ransomware is a new Dharma ransomware sample, discovered on February 21, 2024. It is distinctive for applying a complex extension to the encrypted files that ends up with “.mrB”. This ransomware primarily attacks small corporations and asks the ransom only for decrypting the files, i.e. it does not practice double extortion. Jakub Kroustek was the first to discover and report this ransomware sample.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

mrB ransomware files
Files encrypted by mrB ransomware

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

MrB ransomware note

Contents of the readme text file:


Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

File recovery options

For now, your best…

Source…

Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims

/in


Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week.

In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in Bitcoin, received the decryption keys and then were able to withdraw the payment before it fully went through.

Since January, thousands of customers using Taiwanese hardware maker QNAP’s network-attached storage (NAS) devices have reported being attacked by the Deadbolt ransomware group, which demands a ransom of 0.03 Bitcoin (about $600) for the decryption key.

After the initial attacks affected about 3,600 devices in January, the group continued to resurface with campaigns in March, May, June and September this year. They also expanded their attacks to include NAS devices from Asustor

Message boards around the world have been flooded with customers lamenting the loss of files that included family photo albums, wedding videos and more. Dozens of users took to Reddit to complain that they were among those attacked in the latest campaign.

On Friday, the Dutch National Police said the group has encrypted more than 20,000 QNAP and Asustor devices since the campaign began, including more than 1,000 victims in the Netherlands. 

The idea for the operation started with Dutch cybersecurity company Responders.NU, which figured out the ransom payment trick and worked on the operation with the Dutch National Police, the Public Prosecution Service, Europol, the French National Police and the French Gendarmerie.

“We assist many victims of ransomware and saw an opportunity to obtain decryption keys,” said Responders.NU cybersecurity expert Rickey Gevers. “We shared that with the cybercrime team of the police…

Source…

Dutch Police Tricked Deadbolt Ransomware Gang Into Sharing Decryption Keys

/in


In a novel sting operation, the Dutch law enforcement officials tricked the Deadbolt ransomware gang into handing over decryption keys, providing the victims an opportunity to get encrypted files back without paying a ransom. Using the keys, they can unlock files for free.

Dutch Police is probably one of the most active and committed agencies when it comes to taking down cyber criminals and cybercrime. In 2018, the agency was behind in seizing two of the largest dark web marketplaces including AlphaBay and Hansa.

How Dutch Police Tricked Notorious Ransomware Gang

The Dutch National Police collaborated with cybersecurity firm RESPONDER.NU AND successfully obtained 150 decryption keys from the Deadbolt ransomware group. 

NU said they could unlock the computers of all Dutch victims who had filed complaints. With the availability of decryption keys, the department could retrieve encrypted servers and files, including photos and administrative content, and the victims didn’t need to give in to the ransom demands of the Deadbolt extortionists.

According to the NU officials, they stole the decryption keys from the criminal group. The department’s cybercrime teams transferred funds in bitcoins to the extortionists as ransoms, but as soon as the gang gave them the decryption key, they withdrew funds.

Later, the police aided the victims of Deadbolt ransomware gangs by providing them with the decryption key and also helped international victims. Authorities claim it to be a ‘nasty blow’ to the cybercriminals as the police made it clear that they cannot run away from international law enforcement agencies.

Details of Deadbolt Attacks

In a press release, the police confirmed that Deadbolt ransomware attacks mainly focused on NAS (network-attached storage). The gang had encrypted over 20,000 QNAP and Asustor devices, and the victims were spread worldwide. Around a thousand of its victims were located in the Netherlands.

  1. How Dutch Police Busted Hansa Dark Web Marketplace
  2. Dutch Police takes down 15 DDoS-for-hire services in one week
  3. DDoS booter customers received warning letters by Dutch police
  4. Dutch Police Nabs Romanian Gang for Stealing…

Source…

Hive ransomware decryption key released as gang changes tactics

/in


A decryption key for malware deployed by the ransomware gang Hive has been released in response to an uptick in activity from the gang in the past three months. Hive has also switched to a more complex coding language called Rust, which is harder to decrypt, making the key even more valuable.

Hive ransomware has been active in the healthcare sector. (Photo by Anadolu Agency/iStock)

The decryption tool for version five of Hive’s malware has been released by a malware analyst and reverse engineer known publicly as reecDeep. The key can be found on Github and was created in order to try and quell recent mounting attacks by the gang. 

Hive has been ramping up activity in recent months, particularly targeting healthcare organisations. In May, the gang was named by the US Department of Health and Human Services as one of the top-five cybercrime gangs that attacked healthcare services in Q1 2022, with Hive taking credit for 11% of attacks.

Speaking to Tech Monitor, ‘reecDeep’ said the nature of Hive’s attacks meant they felt inspired to build the key and make it publicly available. “Dozens of companies stop doing business because of gangs of criminals. Hospitals are affected by disruption and are unable to provide care to their patients,” they said.

Hive was first spotted in June last year, and in 2021 the gang attacked more than 350 companies, mainly in the health and financial sectors, says a report by security company Group I-B.

Allan Liska, computer security incident response team head at security company Recorded Futures, said the gang has been even busier this year. “Since May of 2022 Hive has accounted for 6.8% of all postings to extortion sites, which has them tied for second-most active group with Black Cat, which is definitely a notable jump,” Liska says.

Content from our partners
How clinical trials infrastructure is undergoing digital transformation

Webinar - Top 3 Ways to Build Security into DevOps

Tech sector is making progress on diversity, but advances must accelerate

The gang has also recently updated its coding language to Rust, which is much harder to reverse engineer. “The malware used by Hive being written in the Rust…

Source…