Our research team has uncovered a new ransomware campaign popularly known as MegaLocker or the NamPoHyu Virus and the decrypter for the dangerous malware was developed with the help of the group Ransomware Hunting Team.
Below is a table of the latest count of successful decryptions per country.
If you’re a victim of this ransomware, please follow the instructions below and DO NOT PAY the ransom.
MegaLocker is a ransomware that encrypts victims’ files using AES-128 ECB, and adds the extension “.nampohyu” to files. The ransom note “!DECRYPT_INSTRUCTION.TXT” instructs the victim to go to a Tor website to contact the criminals.
The ransom note contains the following text:
What happened to your files ?
All of your files were protected by a strong encryption with AES cbc-128 using NamPoHyu Virus. What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them. The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
Your unique id: [redacted hex] What do I do ?
You can buy decryption for 1000$.
But before you pay, you can make sure that we can really decrypt any of your files. To do this:
1) Download and install Tor Browser ( https://www.torproject.org/download/ )
2) Open the http://qlcd3bgmyv4kvztb.onion/index.php?id=[redacted hex] web page in the Tor Browser and follow the instructions. FAQ: How much time do I have to pay for decryption?
You have 10 days to pay for the ransom after decrypting the test files.
The number of bitcoins for payment is fixed at the rate at the time of decryption of test files.
Keep in mind that some exchangers delay payment for 1-3 days! Also keep in mind that Bitcoin is a very volatile currency,
its rate can be both stable and change very quickly. Therefore, we recommend that you make payment within a few hours. How to contact you?
We do not support any contact. What are the guarantees that I can decrypt my files after paying the ransom?
Your main guarantee is the ability to decrypt test files.
This means that we can decrypt all your files after paying the ransom.
We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. How do I pay the ransom?
After decrypting the test files, you will see the amount of payment in bitcoins and a bitcoin wallet for payment.
Depending on your location, you can pay the ransom in different ways.
Use Google to find i
nformation on how to buy bitcoins in your country or use the help of more experienced friends.
Here are some links: https://buy.blockexplorer.com – payment by bank card
https://localbitcoins.net How can I decrypt my files?
After confirmation of payment (it usually takes 8 hours, maximum 24 hours)
you will see on this page ( http://qlcd3bgmyv4kvztb.onion/index.php?id=[redacted hex] ) a link to download the decryptor and your aes-key
(for this, simply re-enter (refresh) this page a day after payment)
Download the program and run it.
Attention! Disable all anti-virus programs, they can block the work of the decoder!
Copy aes-key to the appropriate field and select the folder to decrypt.
The program will scan and decrypt all encrypted files in the selected folder and its subfolders.
We recommend that you first create a test folder and copy several encrypted files into it to verify the decryption. About Bitcoins:
About Tor Browser:
Please note that some URLs in the ransom note were intentionally left unlinked.
To use the decrypter, you will need one of the ransom notes left by the malware.
Download the MegaLocker Ransomware Decrypter here to get started.
The decrypter was also contributed to No More Ransom, a law enforcement-driven project funded by the Dutch Police, Europol and McAfee that aims to help victims get their files back for free and disrupt the ransomware criminal business model.
Have a great (malware-free) day.