OPdailyallowance Ransomware (the new crypto-extortioner)

Fadhel GHAJATI
Sep 6, 2018 · 3 min read

This crypto-extortioner encrypts user data with AES, and then requires a buyback of 0.3 BTC to return the files.

The sources of ransowmare is Document.exe adnd Adope player. Encrypted files is added the extension . CRYPTR

The original name: Documents . The file says: Documents.exe and Adobe Player . The behavior and the activity of this crypto-extortionist happened at the end of August 2018. It is oriented to English-speaking users, which does not prevent to spread it around the world.

The description of the ransomware is divided ito three files:

INTRUCTION.html

PAYMENT !!!.txt

ATTANTION!!!.txt

Instruction

Contents of note INTRUCTION.html :

WHAT HAPPEND?

Can not find the files that you need?

Is the content of your files that you need, unreadable?

This is normal because the data has been encrypted. etc…

Payment

The contents of the note PAYMENT !!!. Txt:

GET THE KEY DECRYPT FILE, YOU HAVE TO PAY 0,3 BTC TO ADDRESS: 1CajF6395CNBrXxjGqVsALcTvNhyRbQebu

Attantion

Contents of the note ATTANTION !!!. Txt:

##### ATTANTION !!!. Txt

##### YOUR PRIVATE KEY EXPIRED 3 DAYS IF IT EXCEEDS 3 DAYS WE CAN NOT HELP YOU TO DECRYPT YOUR FILE

##### PLEASE DO NOT TURN OFF YOUR PC AND DO NOT RENAME EXTENSION, IT WILL FILE YOUR CORRUPTION

##### GET THE KEY TO DECRYPT FILE, YOU HAVE PAY 0.3 BTC TO ADDRESS 1CajF6395CNBrXxjGqVsALcTvNhyRbQebu

##### IF YOU SEND EMAIL AND NO REPLY FROM US MORE THAN 2 DAYS PLEASE RESEND YOUR EMAIL

#####

Another informant of the victim is the image replacing the wallpaper of the Desktop.

The ransomware can be distributed by hacking through an unprotected RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injections, fake updates (Adobe Player, etc.), repackaged and infected installers

List of file extensions to be encrypted:

These are MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives, etc.

Related files for Ransomware:

INTRUCTION.html

PAYMENT !!!. Txt

ATTANTION !!!. Txt

<random> .exe — random name

Locations:

\ Desktop \ ->

\ User_folders \ ->

\% TEMP% \ ->

Network connections and connections:

Email: BM-2cVQmNzy6ZLBWCD4fVYWSCCBSAik2jEUuy@bitmessage.ch

BTC: 1CajF6395CNBrXxjGqVsALcTvNhyRbQebu

Written by

Cybersecurity Engineer

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade