FANDOM


Major (alternatively known as Bmps) is file locking malware that does not have any connections to other malware.

Behavior

As soon as Major virus detects files with predetermined file extensions, it employs a combination of AES and RSA encryption algorithm to lock them. Victims can then see modified versions of files, which are changed as follows: [original file name].[random number].bmps@tutanota.com.major. In other cases, the appendix varies and includes .core, .mars or .cube.

Shortly after the encryption, Major ransomware drops one of the following ransom notes:

  • EAD_ME.txt, READ_ME.major;
  • READ_ME.core;
  • READ_ME.mars.

Inside these files, users can find a message from the author(s), which claims that the only way to restore data is by emailing them via bmps@tutanota.com, bmps@protonmail.com or xlsx@tutanota.com emails and paying a ransom in Bitcoin. Additionally, .major file virus also swaps the wallpaper that includes a brief message including hacker contact addresses.

Payload

Before proceeding with the encryption, Major ransomware heavily modifies Windows OS. For example, it alters registry to retain persistence, disables recovery and repair functions, and also deletes Shadow Volume Copies to complicate the file retrieval for the victims.

As soon as Major ransomware completes system modifications, it drops a ransom note which reads the following:

ATENTION!!!

I am truly sorry to inform you that all your important files are crypted.
If you want to recover your encrypted files you need to follow a few steps.
You need to buy bitcoins and send them to the address you receive by mail.
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site.You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
write to Google how to buy Bitcoin in your country?
in order to guarantee the availability of our key
we can decrypt one file for free
the size of the files <1 mb, doc.docx.xls.xlsx.pdf.jpg.bmp.txt file format
other formats will not be free decryption
after payment we will send a decryption program 
Do not try to decrypt your files with programs by the decoder, 
you will only damage your data and lose them forever.
Only we can decrypt your data, write to the original mails specified in this file,
otherwise you will become a victim of scammers.

Contact email address xlsx@tutanota.com or xlsx@protonmail.com
Community content is available under CC-BY-SA unless otherwise noted.