CORE Ransomware
The CORE Ransomware uses a combination of the AES-128 and RSA-2048 cryptographic algorithms to encrypt the most commonly used file types and demands a payment from the affected users for the decryption. The encryption used by this ransomware is strong enough to be uncrackable virtually unless a major flaw or bug is discovered in its implementation or in the ransomware itself. It should be noted that the CORE Ransomware is classified by cybersecurity researches as part of the Matrix family of ransomware threats.
Victims of the CORE Ransomware will notice that their files have become inaccessible suddenly and their names have been changed substantially. The malware employs a lengthy naming pattern for each successfully encrypted file. First, it appends BatHelp@protonmail.com, one of the emails provided by the criminals, followed by a unique ID string of the victim, and finally, '.CORE' as a new extension. The ransom note is dropped in every folder with encrypted files in the form of a file named '#CORE_README#.rtf.'
The hackers leave some peculiar instructions for their victims. They demand that an email is sent to all three of the provided email address - BatHelp@protonmail.com, BatHelp@tutanota.com and BatHelp@india.com. If the affected users do not receive a response within 24 hours, they are expected to use Bitmesseges as an alternative way of communication. The hackers threaten that after seven days have gone without payment, they will delete the decryption key from their server, which will prevent the locked files from being decrypted.
The full text of the CORE Ransomware note is:
'HOW TO RECOVER YOUR FILES INSTRUCTION
ATENTION!!!
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
ATENTION!!!
Please don't worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!
INFORMATION!!!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.
HOW TO RECOVER FILES???
Please write us to the email (write on English or use professional translator):
BatHelp@protonmail.com
BatHelp@tutanota.com
BatHelp@india.com
You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!
In subject line write your personal ID:
We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information and their total size must be less than 5Mb.
OUR ADVICE!!!
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
We will definitely reach an agreement 😉 !!!
ALTERNATIVE COMMUNICATION
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours please sеnd us Bitmеssаgеs frоm а wеb brоwsеr thrоugh thе wеbpаgе hxxps://bitmsg.me. Bеlоw is а tutоriаl оn hоw tо sеnd bitmеssаgе viа wеb brоwsеr:
1. Оpеn in yоur brоwsеr thе link hxxps://bitmsg.me/users/sign_up аnd mаkе thе rеgistrаtiоn bу еntеring nаmе еmаil аnd pаsswоrd.
2. Уоu must cоnfirm thе rеgistrаtiоn, rеturn tо уоur еmаil аnd fоllоw thе instructiоns thаt wеrе sеnt tо уоu.
3. Rеturn tо sitе аnd сlick "Lоgin" lаbеl оr usе link hxxps://bitmsg.me/users/sign_in, еntеr уоur еmаil аnd pаsswоrd аnd click thе "Sign in" buttоn.
4. Сlick thе "Сrеаtе Rаndоm аddrеss" buttоn.
5. Сlick thе "Nеw mаssаgе" buttоn.
6. Sеnding mеssаgе:
Tо: Еntеr аddrеss: BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm
Subjесt: Еntеr уоur ID: -
Mеssаgе: Dеscribе whаt уоu think nеcеssаrу.
Сlick thе "Sеnd mеssаgе" buttоn.'
