RCRU64 Ransomware ([ID=id random 6-Mail=email].random 4) Support Topic

Or is the same hacker that create the ransomware and also could be a member of this forum?

 

Anyone can register on the forum. You do not need to trust those who do not have messages on the forum or there are very few of them to trust. 

Yes, they can offer their services and sometimes they are trusted and paid money. You just need to think a little. For example: Would you give your money to a random person on the street, in a store, in a bank? No, of course, if it is a large amount and if a stranger does not ask for charity. 

In some cases, when the amount is small, the affected user may risk money. But he will most likely get hurt again. Lost files and lost money. Extortionists can trick you out of money, and then demand even more, they will come up with a hundred reasons and everything will look like you are to blame.

Edited by Amigo-A, 05 December 2022 - 01:58 PM.

@arimarjul

I have merged your posting and related comments into the primary support topic for victims of this ransomware.

Got a ransomware attack, and my files are encrypted with an extension of  .MMV. I tried uploading a sample but it says unknown, it's asking for Bitcoin payment. Ideas?

Case ef2341e2013e81baed1eb650b213bd28af5337e7

Edited by quietman7, 29 October 2023 - 04:15 PM.

Edited by Amigo-A, 28 October 2023 - 01:28 PM.

Attaching a zip sample. 

Should I send an email to them to just see what it costs?

Your Ransom note contents:

All Your Files Are Locked And Important Data Downloaded !
Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You .
If Payment Isn't Made After A While We Will Sell OR Publish Some Of Your Data . You Don't Have Much Time!
Your ID : BVPKO
If You Want To Restore Them Email Us : insomnia1441@gmail.com
If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Telegram , ID : @insomnia1441
To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin .
Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email.
We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail.
What is the guarantee !
Before Payment You Can Send Some Files For Decryption Test.
If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us
It's Just Business To Get Benefits.
===============================================================================
Attention !
Do Not Rename,Modify Encrypted Files .
Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because
It May Make Decryption Harder Or Destroy Your Files Forever !
===============================================================================
Buy Bitcoin !
https://www.kraken.com/learn/buy-bitcoin-btc
https://www.coinbase.com/how-to-buy/bitcoin

Looks to be a new variant of GoodMorning Ransomware or RCRU64 Ransomware.

The ransom note, contents and naming format of the extension with the random 3-4 characters appended at the end are similar to what we have seen with this ransomware.
 

 

Thanks! Is this something that can be fixed with out paying them?

rivitna has advised in Post #26 this is actually a new variant of RCRU64 Ransomware.

It's RCRU64 Ransomware!
https://github.com/rivitna/Malware/tree/main/RCRU64

 
GoodMorning Ransomware has some similar characteristics but it is not the same per rivitna's explanation.

I got hit with this as well. Anyone have any success recovering their data? Or know of a service that can do it?

There is no known method that I am aware of to decrypt files encrypted by this ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. As with most ransomware, your best option is to restore from backups. If that is not feasible, you can try file recovery software to recover (not decrypt) some of your original files.
 
 

It's RCRU64 Ransomware!

https://github.com/rivitna/Malware/tree/main/RCRU64

Edited by rivitna, 28 October 2023 - 07:03 PM.

According to Amigo-A:
[ID=id*** random 6-Mail=email].random 4 + Read_Me!_.txt, ReadMe_Now!.hta = RCRU64 Ransomwar
example: [ID=rfeHv0-Mail=FilesRecoverEN@Gmail.com].03rK
 
_[ID-id*** random 5_Mail-email].random 3-4 + Restore_Your_Files.txt = GoodMorning Ransomware (NextGen)
example:_[ID-GRHYT_Mail-jounypaulo@mail.ee].Hhe 
 
Victim's ransom note name: Restore_Your_Files.txt
Victim's extension: _[ID-BVPKO_Mail-insomnia1441@gmail.com].MMV which = _[ID-id*** random 5_Mail-email].random 3-4

This classification isn't correct! :-)

RCRU64 (from March 2021 to the present)

Samples, Attackers

- The ransomware were developed in C++ (Crypto++);

- File encryption - AES GCM / RSA-2048, RSA exponent is 17;

- Encrypted files contain footer marker "wenf=" (v4) or "udij="  (v1 - v3);

- C2C: 185.147.34.53 (v2 - v4) or 122.53.179.200, 45.143.147.12 (v1 - v2);

- The ransomware versions v3 and v4 contain the same RSA-3072 and RSA-2048 public keys

GoodMorning (from June 2021 to the present, very rare)

Samples, Attackers

- The ransomware were developed in Python (PyInstaller, PyArmor);

- File encryption - AES CBC (Random password -> encryption key);

- The ransomware send the generated passwords to the Telegram bot

Here is the last known sample

https://www.virustotal.com/gui/file/3563f96389a94d21ca2f8ee71a73e4c9d88810778770b5060aeb912ac854acc9

Edited by rivitna, 29 October 2023 - 04:12 AM.

Interestingly, some attackers are affiliates of RCRU64 and LokiLocker / BlackBit ;-)

For example:

RCRU64

Decvvv110@gmail.com

dicrript@tutanota.com

BlackBit

decvvv110 (attacker ID)
decvvv110@msgsafe.io
dicrript@tutanota.com

Edited by rivitna, 29 October 2023 - 03:25 AM.