<< Click here to See the list of other Ransomware Viruses & Hacker’s
Ransomware Virus Trojan.Encoder Trojan.Encoder.26592 KOK8
THIS HACKER WAS PAID ON 10-26-2018 AND NEVER EMAILED BACK THE DECRYPTION UTILITY, HENCE THIS HACKER IS CONSIDERED DISHONORABLE.
| Incident Date | Ransomware Virus Strain / Name / Details | Hacker Contact / Alias / URL | Status After Payment |
|---|---|---|---|
| October 2018 | Trojan.Encoder Trojan.Encoder.26592 KOK8 | mukesh@india.com |  |
ATTENTION OTHER VICTIMS OF THE SAME HACKER / RANSOMWARE / DO NOT PAY THE RANSOM TO THIS HACKER.
READ THIS BEFORE CONSIDERING PAYMENT – We advise all victims of this hacker/ransomware to not pay the ransom demand and to instead email the hacker a link to this page, explaining to him, that you already know he won’t provide the decryption utility after payment, based on the evidence found on this website. It would be to the hackers benefit to contact us instead to provide the reversal decryption utility for our client’s case first. Once he does, and we confirm his decryption utility works, we will change his status to HONORABLE and will then give you the green light to pay the ransom demand.
Background:
On October 19th, 2018 it was reported to Planet Cyber, that a client is not able to open the files in any of the folders on the computer. Along with the issue, the client reported seeing a new file in all the directories of the computer “ReadMeNow.txt” which appeared to be from an unknown origin. Per our instructions, the client opened and read the file, which contained a message about how the files have been encrypted and demanded the ransom money, along with the hackers email address. Immediately, we instructed our client to turn off all the computers in the organization.
Planet Cyber, dispatched a senior tech to the client’s location, to assess the damage and provide ransomware incident response services.
Upon inspecting the folders on the infected machine, we confirmed the machine was hit by a new strain of ransomware virus, which encrypts the files on a machine, but unlike other ransomware viruses DOES NOT add any special file extensions to the encrypted files. Luckily, by doing the action of turning off all the machines, the ransomware never finished encrypting everything, and only 50% of the files where encrypted. Nevertheless, the remaining 50% was also significant to recover. After much research, and various recovery techniques we could not locate any immediate methods to reverse or unencrypt the files & documents.
We contacted the hacker, via his email address, and after 3 days he responded, and again asked for the Ransome money 1 Bitcoin, in exchange for the decryption tool. Next, in order to confirm he had the necessary tool to reverse the encryption processes, we emailed him a sample of an encrypted file and asked him to reverse it, and he did. The hacker emailed back an image of the PDF contents of the encrypted file.
see the URL below
We sent the funds on 10-26-2018 17:27.
He withdrew the funds on 10-26-2018 18:07.
After he received the funds, we had several more email interactions, where he basically said he would send the decryption utility, and finally, he never did and stopped responding to emails overall. Hence this hacker, unlike most other hackers, is considered dishonorable.
Ransomware Demand Letter:
File Name “ReadMeNow.txt”
======================================
HOW TO RECOVER YOUR FILES INSTRUCTION
ATENTION!!!
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
ATENTION!!!
Please don’t worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!
INFORMATION!!!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.
HOW TO RECOVER FILES???
send one bitcoin to 3E5jqHa8gHRBbG9NTwWth1rfiJ76adWnqS
then Please write us to the e-mail (write on English or use professional translator)
mukesh@india.com
In subject line write your personal ID:
40CF9A7CD07707D959
If you don’t send one bitcoin whitin 48 hours price will double to two bitcoins. If we don’t recieve it then all your files will be lost forever.
OUR ADVICE!!!
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
======================================
Email Transcripts of Communications with the Hacker
From: kumarsundi@gmail.com> Sat, Oct 20, 2018 at 9:09 AM
To: mukesh410@india.com
My friend is ready to send you the bitcoin, to your bitcoin address which you have in the file “3E5jqHa8gHRBbG9NTwWth1rfiJ76adWnqS”
We just need to hear back from you, so we know you are actually receiving these communications.
Otherwise, you will not have any way to send us the needed app to restore his files.
Please reply back with anything, so we can know these emails are not going to no-where.
From: kumarsundi@gmail.com> Mon, Oct 22, 2018 at 12:54 PM
To: mukesh410@india.com
Hello,
Thank you so much for replying.
It’s good to know you can actually receiving these emails 🙂
Since we did not hear from you until today, my cousin, gave up on the data.
But now that you email me, I will get in touch with him asap.
Can you please decrypt one sample file for him, so I can show him for sure you have the needed tool to decrypt the files, please.
I am trying to help everyone here, and this sample file will really help me to convince him, that this is going to work. He is very skeptical, and I told him, not to be and to trust this process.
please see the sample PDF file.
thank you for all your help.
From: mukesh410@india.com> Tue, Oct 23, 2018 at 1:29 PM
To: kumar sundi <kumarsundi@gmail.com>
send 1 bitcoin to this account only 3DifSWqZuKQURs9qQSZXQaoByih7LspZfv
From: mukesh410@india.com> Wed, Oct 24, 2018 at 12:56 PM
To: kumar sundi <kumarsundi@gmail.com>
i will not accept bottom price 5000 dont wait too long or it doubles or i cannot decrypt
From: kumarsundi@gmail.com> Thu, Oct 25, 2018 at 4:06 PM
To: “mukesh410@india.com” <mukesh410@india.com>
Thank you for your understanding. He has the funds available now. Please write back and confirm that we will receive the decryption program if $5,000 in bitcoin is sent to 3DifSWqZuKQURs9qQSZXQaoByih7LspZfv. I want to make sure he sends the money to the correct address. He will then pay you very quickly.
From: mukesh410@india.com> Fri, Oct 26, 2018 at 8:54 AM
To: kumar sundi <kumarsundi@gmail.com>
yes we guarantee full decrypt after payment is made. we always promise full decrypt.
From: kumarsundi@gmail.com> Fri, Oct 26, 2018 at 11:32 AM
To: mukesh kumar <mukesh410@india.com>
We have sent the payment. When will the decryptor be made available?
From: mukesh410@india.com> Fri, Oct 26, 2018 at 2:20 PM
To: kumar sundi <kumarsundi@gmail.com>
hello
i need the following
full server or computer name
computer ip address
From: kumarsundi@gmail.com> Fri, Oct 26, 2018 at 2:51 PM
To: mukesh kumar <mukesh410@india.com>
sending you the info in one moment
From: kumarsundi@gmail.com> Fri, Oct 26, 2018 at 3:38 PM
To: mukesh kumar <mukesh410@india.com>
Hi
Here is the requested info.
please see the attached images
2 attachments
ip address.png
computer name.jpg
From: mukesh410@india.com> Fri, Oct 26, 2018 at 5:48 PM
To: kumar sundi <kumarsundi@gmail.com>
ok Standy by
From: kumarsundi@gmail.com> Sat, Oct 27, 2018 at 2:57 AM
To: mukesh kumar <mukesh410@india.com>
yes, please I’m on stand by
From: kumarsundi@gmail.com> Mon, Oct 29, 2018 at 9:30 AM
To: mukesh kumar <mukesh410@india.com>
Hello sir.
Is everything okay? I have not received the decrypt program.
are you having unforeseen challenges?
From: mukesh410@india.com> Mon, Oct 29, 2018 at 5:54 PM
To: kumar sundi <kumarsundi@gmail.com>
i sent already check your spam
From: kumarsundi@gmail.com> Mon, Oct 29, 2018 at 7:02 PM
To: mukesh kumar <mukesh410@india.com>
Hi, I just double checked, and triple checked, unfortunately, nothing in spam either. I’m guessing the email never reached me, maybe google is blocking it.
try sending it to my alternate email address, please. support@finditbuy.com
From: kumarsundi@gmail.com> Mon, Oct 29, 2018 at 7:17 PM
To: mukesh kumar <mukesh410@india.com>
Here are the screenshots of my inbox and spam folder. see nothing. please email it to support@~~~~~~~.com
If it is a exe file or zip file. maybe try renaming it to “decryptzip” and I will rename it to decrypt.zip
or I can make an ftp for you to upload….
whatever you need, I am here to help
2 attachments
Image 002.png
Image 003.png
From: kumarsundi@gmail.com> Tue, Oct 30, 2018 at 9:53 AM
To: mukesh kumar <mukesh410@india.com>
Also, I have good luck with dropbox for sending files to friends, perhaps you could upload it there and provide us a link to download? Or maybe you could send again with Gmail but use a password on the file so that Gmail doesn’t remove it?
From: kumarsundi@gmail.com> Tue, Oct 30, 2018 at 5:57 PM
To: mukesh kumar <mukesh410@india.com>
Hello sir, please help us with this. We have paid, as you asked. We have not heard back from you. Thank you, sir.
From: mukesh410@india.com> Wed, Oct 31, 2018 at 9:00 AM
To: kumar sundi <kumarsundi@gmail.com>
ok i wills send again soon
From: kumarsundi@gmail.com> Wed, Oct 31, 2018 at 9:16 AM
To: mukesh kumar <mukesh410@india.com>
any eta? please. thank you again
From: kumarsundi@gmail.com> Thu, Nov 1, 2018 at 7:52 AM
To: mukesh kumar <mukesh410@india.com>
Sir, you said ” ok I will send again soon” nothing yet. one more day is gone. please help him.
From: kumarsundi@gmail.com> Thu, Nov 1, 2018 at 11:21 AM
To: mukesh kumar <mukesh410@india.com>
Sir,
I respectfully ask that you provide the information that will help him recover the files. it has been 6 days since the payment was issued. It was last Friday, and now it is Thursday. You said “yes we guarantee full decrypt after payment is made. we always promise full decrypt” I told him to trust you. I told him, you need the money, and that you are a good person, and will help us fix this situation. Please help me show him I was not wrong.
From: kumarsundi@gmail.com> Thu, Nov 1, 2018 at 3:43 PM
To: mukesh kumar <mukesh410@india.com>
Dear Mr. Mukesh,
My cousin, Jeff, emailed me this and asked that I forward you his message.
=========================================
“Dear sir, my name is Jeff, the persons computer that has been effected by your ransomware. Kumar my nephew has been communicating with you, on my behalf. I had to borrow the $5000 which we sent you last week on Friday. And still to this day, my files are not back to normal.
Please know, I am a 76 year old retiring teacher, not well, ready to retire and the grief you have caused is overwhelming. You have literally shut down my work, and for me to recreate this after 50 years of helping others, is unbelievable. You received compensation for a terrible deed and the least you can do is be honorable and return what you stole.
If you are really from India, we have traveled there twice to enjoy the culture and its kind and loving people. We brought school supplies and computers to give to some small village schools. And now you hacked mine! It has been an exhausting experience and an unbelievable ending to my professional life. I really hope you will follow through with what you promised. Jeff”
Background
Latest IT / Cyber Security / Cyber Attack News 11/4/2018
Ransomware Viruses are on the rise, clients have been reporting more incidents in 2018 than in any previous years. It is now super critical for all clients to (1) double check on their backups and validate them. (2) ensure you have several types of backups, such as cloud, and local external drive backups. (3) ensure your devices have adequate antivirus protection (4) and practice safe internet usage protocols, which means do not open attachments from anyone (including the people you know), try not to browse to websites which are unknown and random.
In the past several months two clients, have reported that all of their files, work documents and work applications, which maintain all their work client lists, client details, patient details, account payables etc, have all become useless and inaccessible, after realizing that their computers have become compromised, hacked, and hit with ransomware virus’s that have encrypted all of their files, with Ransome demand letters from the hackers.
Unfortunately for various reasons, our clients did not have backups, and or their backups were compromised as well, thus left with the only choice to pay the Ransome demands, which are usually in the range of 1 Bitcoin, approximately $5000 to $6500 per bitcoin. In both cases, both clients paid the Ransome demand amounts, and in one incident the hacker was honorable at the end and provided the decryption program which restores all the files back to normal working condition. And on the second incident, the hacker was not honorable and did not provide the decryption reversal tool.
Thus, for these reasons, at Planet Cyber IT Services we decided to start a new section on our website, to expose, inform, and educate the public on various ransomware incidents, and to most importantly also let the public know, of hackers whom are honorable, and hackers whom are dishonored since they did not provide the reversal decryption tool, after being paid.
We look forward to growing this list and to exposing both honorable and dishonorable hackers. We welcome other clients, victims, and cybersecurity experts to email us their incidents details so that we can add more to this list. To report new incidents, or if you have any questions please emails us at info@planetcyber.net.