MessedUp Ransomware Description
The MessedUP Ransomware is a new variant based on the Phobos Ransomware family detected in the wild. The threat itself doesn't display any major deviation from the typical behavior of the Phobos Ransomware variants, apart from the fact that the hackers behind it have decided to forego the usual email communication channel apparently, and have instead opted to use the ICQ application. As for the encrypted files, their original filenames will be modified to include a string of characters representing the victim's unique ID, followed by the ICQ account address of the criminals, and finally, '.messedup' as a new extension. The ransom note of the threat is delivered in two different forms. First, as a text file named 'info.txt' and as an HTML file called 'info.hta' used for the generation of a pop-up window on the screen of the compromised computer.
The instructions found in the text file include a lengthy message from the hackers addressed to a potential IT manager or the owner of the company that was infected by the MessedUP Ransomware. The useful information, however, is pretty space. Victims are simply provided with the aforementioned ICQ account address - '@FIREYOURITGUY.' The message displayed in the pop-up window also contains the same account, but it also allows affected users to send up to 5 files that should not exceed a total size of 4MB for free decryption.
The best to do when handling the aftermath of an attack by the MessedUP Ransomware is to look for a suitable backup that was created before the malware had managed to infiltrate the computer. Before attempting to restore the encrypted data, however, make sure to remove any traces of the threat by using a professional anti-malware solution.
The full text from the 'info.txt' file is:
'If you are the IT manager and you are reading this, that means that you messed up, you were asleep at the wheel. Contact us and we can resolve this situation without major complication, if you are the owner of the company and you are reading this than the decision is yours, throw your hard drives in the trash or contact us and pay a nominal fee to recover your data, but know that your security practices have failed you and either way something needs to be done
If you want to restore them, install ICQ software on your PC hxxps://icq.com/windows/ or on your mobile phone search in Appstore / Google market "ICQ"
Write to our ICQ @FIREYOURITGUY hxxps://icq.im/FIREYOURITGUY
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.'
The instructions from the pop-up window are:
Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted with ciphers more advanced than those used for diplomatic communications, you can spend days and months searching for a magical way to decrypt your files, but rest assured we are the only people who can help you recover your files, there is no free tool
If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market "ICQ"
Write to our ICQ @FIREYOURITGUY https://icq.im/FIREYOURITGUY
Write this ID in the title of your message C279F237-2797
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'