0mega勒索病毒家族详情

【家族名】
Win32/Ransom.0mega
[平台]   /   [主类型]  .  [家族名]
平台类型 :  Win32 Win64
威胁类型 : Ransom
【是否支持解密】
360解密大师：暂不支持
在线解密：暂不支持
【被加密文件】
修改文件后缀为.随机后缀，例如



【勒索提示信息】：
文件名：HOW TO RESTORE YOUR FILES.TXT
文件内容 ：DECRYPT-FILES.txt
-------------------------------------------------------------------------------
------------
[Attention!]
------------

Hello Nextlabs, you have been HACKED and all your files have been DOWNLOADED and ENCRYPTED with reliable cryptographic algorithms.
We have your software source code, financial data, instructions, documentations and so on.

Special secret key is required to DECRYPT your files. Only we have this key and only we can give it to you.
In order to restore your files and prevent data leakage, you must make a payment.

After the payment, we will give you software to DECRYPT all your files, and we will remove your data from our servers.

If you do not contact us in 3 business days:
1) we will begin publication of your files on our website. Mass media will know about your problem, and you will loose your clients who have trusted you their data.
2) we will notify government entities and give them a copy of your financial accountancy for further analysis.
3) no one will cooperate with cybersecurity company which got publicly hacked and ransomwared.

You can prevent this by making the payment and we will remove all data we have downloaded, give you decryptors and provide you with security report.

----------------------------------------
[How to contact you and make a payment?]
----------------------------------------

To make the payment please visit our website to contact support team via live chat and negotiate the payment amount.
There are two methods to contact us:

1) Using TOR Browser - RECOMMENDED
  a) Install TOR Browser https://torproject.org
  b) Visit http://fxiqlzzldxq44pqljg333622h ... 0a1c4312208b7684812
  c) Authorize by uploading DECRYPT-FILES.txt
  d) Write into the live chat

2) Using regular web browser - additional method
  a) Visit https://0mega-connect.biz/c/f4afd0a1c4312208b7684812
  b) Authorize by uploading DECRYPT-FILES.txt
  d) Write into the live chat

Feel free to ask any questions.

------------------------
[How it can be trusted?]
------------------------

We are making our business by restoring company networks and preventing data leaks. If we do not follow our mutual agreements nobody will make a payment.
So we are interested in recovering your data and preventing any data leaks.

Also, you can verify our words:

1) By requesting test decryption, uploading us a few files below 2 MB. We will decrypt it for free.
2) By requesting us to provide you with a partial tree of stolen files and asking to send you one file chosen by you from this list.

--------------------------------
[What about recovery companies?]
--------------------------------

Recovery companies will contact us on their own, asking you to make the bigger payment than we request and taking the difference to themselves.
That is how they work. If you face difficulties in making the payment, you can freely contact any of them.
Also it must be said, that recovery companies have poor negotiators and they usually ruin any negotiations rather than actually helping.

------------------------------------------
[What actually is received after payment?]
------------------------------------------

1) Decryptor to recover ALL your data.
2) Removal of stolen data from your network on our servers and providing you with proofs of data removal.
3) Security report on how to enhance your security and how you were hacked.
4) Anything else we discuss during our negotiations.

P.S. Dear network administrators and other IT employees, do not try to hide the fact of the attack from your employer. Corporate leadership will be notified as well.

-----------------------------------------------------------------
do not touch this block as this required to process authorization
data_begin
H3*******RyMCbkt8Cn69U3Ht6qdffoCvkHvglyBGvsD47bvlkhYlp/hXWCwubnEY0DZ1wZL5MnK6CPY83c7cUIDEJRXsdw8t21/JUZb2CRHQri/cYO6dO1C80sf33zPl5YC1FUzLU3taMoVn/SNV3VCOrKtckhKnHwuu5ts+w04W7AEAAAAAQAAAGYANABhAGYAZAAwAGEAMQBjADQAMwAxADIAMgAwADgAYgA3ADYAOAA0ADgAMQAyAAAAAAAAAAAAAAAAAAAAAABkAHMAYQBwAGkAXwB1AG4AYQB2AGEAaQBsAGEAYgBsAGUAXwBvAG4AXwB0AGgAaQBzAF8AbQBhAGMAaABpAG4AZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
data_end
-----------------------------------------------------------------

【赎金谈判页面】


【暗网】


【防护建议】
1.多台机器，不要使用相同的账号和口令
2.登录口令要有足够的长度和复杂性，并定期更换登录口令
3.重要资料的共享文件夹应设置访问权限控制，并进行定期备份
4.定期检测系统和软件中的安全漏洞，及时打上补丁。
5.定期到服务器检查是否存在异常。查看范围包括：
a)是否有新增账户
b) Guest是否被启用
c) Windows系统日志是否存在异常
d)杀毒软件是否存在异常拦截情况
6.安装安全防护软件，并确保其正常运行。
7.从正规渠道下载安装软件。
8.对不熟悉的软件，如果已经被杀毒软件拦截查杀，不要添加信任继续运行。