FANDOM


Megalocker is a ransomware that runs on Microsoft Windows.

Payloads

Megalocker will encrypt all files on the computer. It then tells the user they won't be able to open the files unless they buy the decryption key. To exchange this key, the user has to buy several bitcoins.

MegaLocker is reported to drop '!DECRYPT_INSTRUCTION.txt' to the root folder and present the victims with a demand for payment of $800. Companies are invited to pay $800 and have their data decrypted. Also, private users can pay $250 and have their site recovered if need be.

A copy of '!DECRYPT_INSTRUCTION.txt' can be found below:

What happened to your files ?

All of your files were protected by a strong encryption with AES cbc-128 using MegaLocker Virus.
 What does this mean ?
 This means that the structure and data within your files have been irrevocably changed,
 you will not be able to work with them, read them or see them,
 it is the same thing as losing them forever, but with our help, you can restore them.
 The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
 What do I do ?
 You can buy decryption for $800 for company and 250$ for private person.
 But before you pay, you can make sure that we can really decrypt any of your files.
 To do this, send us 1 random encrypted file to alexshkipper@firemail.cc, a maximum of 5 megabytes, we will decrypt them
 and we will send you back. Do not forget to send in the letter your unique id:
 [random characters]
 You can check the decryption of more than one file, but no more than 3.
 To do this, send us two more letters with files, there should be only one file in each letter!
 If you are a private person, then send your private photo (birthday, holidays, hobbies and so on),
 this will prove to us that you are a private person and you will pay 250$ for decrypting files.
 If you are not a private person - Do not try to deceive us!!!
 Do not complain about these email addresses, because other people will not be able to decrypt their files!
 After confirming the decryption, you must pay it in bitcoins. We will send you a bitcoin wallet along with the decrypted file.
 You can pay bitcoins online in many ways:
 https://buy.blockexplorer.com/ - payment by bank card
 https://www.buybitcoinworldwide.com/
 https://localbitcoins.net
 About Bitcoins:
 https://en.wikipedia.org/wiki/Bitcoin
 If you have any questions, write to us at alexshkipper@firemail.cc'

The first wave of infections with MegaLocker appears to direct the users towards 'alexshkipper@firemail.cc.' The encrypted data has the '.crypted' extension and something like 'The Meg 2018.mp4' is renamed to 'The Meg 2018.mp4.crypted.' 

Community content is available under CC-BY-SA unless otherwise noted.