Wednesday, 15 February 2017
According to the .eml file that was uploaded today to VirusTotal, unknowns tried to run a targeted attack on the National Police of Ukraine.
The email (MD5: bec01fe3b14b3da507a6a4c5c698e8ed) was sent to firstname.lastname@example.org with the fake login page attached as an html file (MD5: 5dca48afe347db9e9f9cab9c824c122d) a week ago.
Thursday, 2 February 2017
Recently, our laboratory analyzed the new version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb).
This version of DeriaLock is unique because of two reasons. First, it demands to pay the 30 USD/EUR ransom to the Skype account. Second, DeriaLock incorporates three types of functionality: SystemLocker, CryptoLocker, and FileKiller within a single attack.
If you managed to remove the DeriaLock infection and keep your encrypted files, you can start now decrypting your documents using the encryption key and initialization vector calculated by our script based on the password string extracted from the analyzed version of DeriaLock:
AES-256 key: 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743
To decrypt '.deria' files, you can use OpenSSL tool specifying the discovered key and initialization vector. For example:
openssl aes-256-cbc -d -in photo.png.deria -K 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743 -iv 9fa4ed4d89b04ee7f3b74c9b46588e18 -out photo.pngOr use our Python script or executable to decrypt all '.deria' files that can be found on your computer.