FANDOM


010001 is a crypto-demanding cyber threat that encodes users' data by using sophisticated AES encryption method. Although the first victims were discovered in Japan at the beginning of November 2018, ransomware focuses on English-speakers. The main goal of this type of malware is to encrypt users' files and then demand a ransom in cryptocurrency for the alleged decryption tool.

Payloads

When the process of encryption is done, the virus marks each of the files with the .010001 file extension and generates ransom note called tmpsfn_as.txt that gets placed on every folder on the computer. This crypto-extortionist is reportedly demanding $500 in Bitcoin which is still one of the most popular cryptocurrencies.

When 010001 ransomware virus gets on the user's system, it doesn't start encrypting their data right away. The first step in the system changes, including the following activities:

  • changes in the computer's Registry;
  • installation of malicious files and virus components, e.g. Tor browser;
  • different tasks and commands added.

All these changes help the 010001 ransomware stay on the system for longer than expected. Besides, the virus gets the ability to recover itself after removal. When ransomware is on the system, it runs the following commands to keep the user's antivirus tools from detecting the malware:

  • sc stop VVS
  • sc stop wscsvc
  • sc stop WinDefend
  • sc stop wuauserv
  • sc stop BITS
  • sc stop ERSvc
  • sc stop WerSvc.

010001 starts the encryption process. Firstly, it scans the system to find targeted files. As a result, most of the stored personal files get encrypted by using AES encryption algorithm. This method allows ransomware to change the original code of various files, including pictures, documents, video or music files. Typically, they are marked with the .010001 appendix. 

Files encrypted by 010001 ransomware become useless. The victim also receives the ransom note in a text file called tmpsfn_as.txt that reads the following:

*************************************************************
ATTENTION!!!! Your personal files are encrypted!
*************************************************************

To recover the files, you must:

* Send 500$ to the wallet 123PyVpWMSFW6V2qVyywRz7zhEo3K82M8K
* Send email to “jduy3jd87dhs@grr.la” indicating the reference “11111111111111110000000011110001” 
when you have paid.
* We will send a decryption program to recover your files.
* Make a backup of this file.

# HELPS #

– How do I buy digital currency with a credit or debit card in the US?
https://support.coinbase.com/customer/en/portal/articles/2343234-how-do-i-buy-bitcoin-with-a-debit-card-
in-the-us-

– How do I send digital currency to another wallet?
https://support.coinbase.com/customer/en/portal/articles/971437-how-do-i-send-digital-currency-to-another-
wallet-

– How to Buy Bitcoin on Coinbase, Step by Step
https://www.bitcoinmarketjournal.com/buy-bitcoin-on-coinbase/

– Google