Threat Database Ransomware '+superuser111@0nl1ne.at File Extension' Ransomware

'+superuser111@0nl1ne.at File Extension' Ransomware

By GoldSparrow in Ransomware

The name — '+superuser111@0nl1ne.at File Extension' Ransomware — is a working title for a generic crypto-threat that was discovered on July 5th, 2018. Most of the samples attributed to the threat have been uploaded from Belarus, which might suggest that the people behind the '+superuser111@0nl1ne.at File Extension' Ransomware have launched targeted attacks on users based in Belarus. The threat actors may be using a restricted mailing list to send phishing emails and convince users to open a macro-enabled document that installs the '+superuser111@0nl1ne.at File Extension' Ransomware on their devices while a misleading text is displayed on their screen.

The Threat is Based on the FLKR Ransomware

The '+superuser111@0nl1ne.at File Extension' Ransomware is based on the '_morf56@meta.ua_ File Extension' Ransomware that some cybersecurity vendors refer to as FLKR Ransomware based on the original malware payload. The lack of extensive modifications to most ransomware versions has been mentioned as the cause for names like the Help@badfail.info Ransomware and the Scarab-Bitcoin Ransomware. The Trojan at hand is known to encode data like images, audio, video, databases, office resources and eBooks using a custom AES cipher. The original files are deleted and substituted with the encrypted versions. As its name suggests, this particular crypto-threat adds the '+superuser111@0nl1ne.at' suffix to filenames. For example, 'Carlin–type gold deposits.pptx' is renamed to 'Carlin–type gold deposits.pptx+superuser111@0nl1ne.at' and a ransom note — 'INSTRUCTIONX.txt' is displayed on the screen. The message loaded by the Trojan reads:

'To decrypt files - Jabber (xmpp) address: superuser111@0nl1ne.at (if we are offline - you can write offline, its ok) PIN: [redacted 2 numbers]'

Two More Versions of FLKR Ransomware Were Recorded in the Past

We should mention that there are two older versions of the same Trojan that were recorded by various cybersecurity companies. It was reported that the team responsible for the FLKR Ransomware had released two more versions called '__murzik@jabber.mipt.ru File Extension' Ransomware and '+asdasd333@default.rs File Extension' Ransomware.

The first — '__murzik@jabber.mipt.ru File Extension' Ransomware was spotted in December 2017 and dropped 'INSTRUCTION.txt' to the user's desktop with the following message:

'You want to decrypt your files? Write us on Jabber (xmpp):murzik@jabber.mipt.ru
(you can write to us even if we are offline) Your PIN: 111'

The second — '+asdasd333@default.rs File Extension' Ransomware was noticed in May 2018 and delivered 'INSTR.txt' along with the following notification:

'In order to decrypte files please contact me via Jabber asdasd333@default.rs your pin 69'

There are Ways to Restore Your Data Without Paying

Some users may be tempted to contact the threat actors via their account on Jabber, but that is a bad idea. The goal of the threat authors is to trick users into paying for a decoder. You should be able to rebuild your files structure as long as you use clean backups from removable memory storage and services like Microsoft OneDrive, Dropbox, Spider Oak and GoogleDrive. It is advised to terminate the '_morf56@meta.ua_ File Extension' Ransomware using a trustworthy anti-malware service. AV companies refer to files used by '+superuser111@0nl1ne.at File Extension' Ransomware and related versions with the following tags:

Artemis!F6A95A182FA9
Gen:Variant.Graftor.315557 (B)
HEUR/QVM11.1.0000.Malware.Gen
PAK_Generic.005
Trojan.Agent!jhX2Hm7ahpE
Trojan.Agent.Win32.754836
Trojan.Agent.bgzk
Trojan.Encoder.7223
Trojan/Win32.Agent.C1700844
W32/Agent.NEYFEG!tr
W32/Trojan.ENYM-2212
Win32/DH{gmeBUQk?}

Trending

Most Viewed

Loading...