MGS Ransomware
More and more cyber crooks turn to ransomware threats as an easy way to generate a quick buck. One does not even need to be very experienced to create and distribute a file-locking Trojan as a majority of them are simply based on the code of already existing ransomware threats.
Propagation and Encryption
Today's data-encrypting Trojan falls into this category. The MGS Ransomware has not been built from scratch but is instead a variant of the notorious Dharma Ransomware. Malware researchers have not yet concluded what the infection vectors employed in the propagation of the MGS Ransomware are. It is likely that the creators of this nasty threat are using pirated fake copies of popular software, mass spam email campaigns, and bogus application updates to spread the MGS Ransomware. The MGS Ransomware will locate all the files it was programmed to target by performing a swift scan. When this is completed, the MGS Ransomware will begin locking all the targeted files. Once a file undergoes the encryption process of the MGS Ransomware, its name will be changed as this threat adds a '.id-
The Ransom Note
In the next phase, the MGS Ransomware will create a file with the message of the attackers called 'RETURN FILES.txt.' The note reads:
’All FILES ENCRYPTED "RSA1024"
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL mrcrypt@cock.li
IN THE LETTER WRITE YOUR ID, YOUR ID
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: mrcrypt@cock.li
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’
In the ransom note, the attackers do not specify the ransom fee sum. However, the authors of the MGS Ransomware warn the victim that unless they are contacted within seven days, the decryption key that is being held for ransom will be wiped off permanently. As a way to prove that they have a working decryption key, the attackers offer the victim to decrypt one file for free, as long as it is no larger than 1MB. The attackers then provide the victim with an email address where they expect to be contacted – 'mrcrypt@cock.li.'
We advise you strongly to avoid dealings with cybercriminals like the ones responsible for the MGS Ransomware. Instead, you should obtain a legitimate anti-malware tool, which will help you remove the MGS Ransomware from your PC.
