MMM Reborn is a cryptovirus that encrypts files using RSA + AES algorithms. It demands a huge ransom amount – 222BTC that is equivalent to around 800 000 US dollars. It is a new version of MMM. MMM Reborn already released a few more versions to the wild. Most of the previous versions in the MMM family use AES and RSA algorithm mix for the file locking and demands at least 0.25 BTC.
MMM Reborn uses RSA 2048 method or doubles that up with AES128 for the main file-locking process. During the encryption, the original file code is altered and, this way, data becomes unusable. When your files get marked with the appendix, the user can also see the ransom note IF_YOU_NEED_FILES_READ_ME.html on their computer's screen that additionally, to the payment instructions, displays the following text:
All of your files were encrypted by a strong encryption with RSA2048 Specially for your PC was generated personal RSA2048 Key, both public and private ALL YOUR FILES were encrypted with the public key, which has been transferred to your PC via the Internet Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our Server
MMM Reborn V4
In March 2019 this version came to the attention of researchers with a few new specific features. Firstly, the ransom note in this case delivered in the text file called DECRYPT_FILES.txt as before the message about the attack was shown in an HTML window. Besides the text file with a ransom note, the main executable that launched the script RebornMMM.exe alongside other files like ecorp.bat can be found on the affected system.
TripleM Reborn v4 ransom note states:
TRIPLEM (MMM) REBORN RANSOMWARE v4 What happened to your files? Your stupid IT Dept. Your encrypted files were not secured. Your files were encrypted with a strong encryption with RSA2048. What do I do? So, there you can wait for a couple of ways. If you have your time, you need your money, because payment. You can send to firstname.lastname@example.org 2-3 random files <2mb and we decrypt it for free. !!! DO NOT TRY RESTORE YOUR FILES. !!! DO NOT USING DIFFERENT DECRYPTION SOFTWARE. !!! FILES MAY BE DECRYPTED ONLY WITH OUR SOFTWARE. PERSONAL DETAILS YOUR YOUR DECRYPTION PRICE: IF YOU PAY WITHIN 7 DAY – 8 BITCOIN IF YOU PAY NOT WITHIN 7 DAY – 12 BITCOIN WALLET ADRESS: 1MMMbgkgSS82t4WC4YkXMVCsWAawnrzUpP UNIQ USER ID: wrlvdtte.5g4 INSTRUCTION 1) Buy Bitcoin on btc exchange sites ( Coinbase, Localbitcoins , Coinmama and another). For buy Bitcoin you need confirm your Identify. Buy Bitcoin offline in ATM or from seller https://coinatmradar.com/ 2) Send BITCOIN to your personal wallet adress 1MMMbgkgSS82t4WC4YkXMVCsWAawnrzUpP 3) Write us to email email@example.com in subject write your USER ID UNIQ 4) Decrypt your files. TRIPLEM (MMM) REBORN RANSOMWARE v4
The ransom note gives out more information about the particular ransomware attack and informs people that the amount of ransom at first is 8 Bitcoins. However, it may go up to 12 Bitcoins if the user decides to wait more than seven days to pay up.