Latest

King Ouroboros Ransomware Dev Vents to Researchers on Twitter

I guess even ransomware developers do not like being called scammers as shown by a recent venting session by the King Ouroboros ransomware developer on Twitter. Tweeted to ransomware researchers MalwareHunterTeam, Michael Gillespie, and Amigo-A, the ransomware developer is taking insult by some sites calling his software a scam and that paying the ransom wont get your files […]


I guess even ransomware developers do not like being called scammers as shown by a recent venting session by the King Ouroboros ransomware developer on Twitter.

Tweeted to ransomware researchers MalwareHunterTeam, Michael Gillespie, and Amigo-A, the ransomware developer is taking insult by some sites calling his software a scam and that paying the ransom wont get your files back. The ransomware developer on the other hand defends the malware, by trying to make it out like they are doing something good for their victims.

“From the beginning, we’ve already helped loads of people solving any of their issues regarding the decryption of their files, as well as spending time to code a standalone decryption tool for those who have deleted the original one,” stated the King Ouroboros ransomware dev. “We do also provide discounts to those who are able to prove any kind of financial problems they may have.”

Twitter Thread from King Ouroboros
Twitter Thread from King Ouroboros

After reading this, I could only think WTH!?!?!  Here is a ransomware developer screwing people over and now we are supposed to feel bad that some site called his software a scam?

For those unfamiliar with the King Ouroboros ransomware, it is a AutoIt script compiled into an executable that when executed will encrypt a computer and insert the king_ouroboros string into the encrypted file’s name. For example, test.doc would be encrypted and renamed to test.king_ouroboros.doc.

Folder of Encrypted Files
Folder of Encrypted Files

The ransomware will also drop a ransom note named README!!! ALL YOUR FILES HAVE BEEN SECURELY ENCRYPTED!!!.txt that tells you to contact [email protected] or [email protected] for payment instructions.

Ransom Note
King Ouroboros Ransom Note

The ransomware will also change the desktop background to a “hackerish” type background like the one below.

Background
Background

The last noticeable change it makes is to create a legal notice that is displayed to the user before they login into the computer.

Legal Notice
Legal Notice

Last, but not least, the ransomware developer appears to dislike President Trump based on the name of his Command & Control server’s domain and its title.

Command & Control Server
Command & Control Server

IOCs:

Hash:

c03bc8bca99649841c97d3f9835acd3bc97496049ffd837fca6d0e30581d0517

Ransom Note Text:

All your files have been encrypted!
The encryption key has been sent online and is not public.
You have 10 days time to contact us or you will lose your data.
The only way you can recover your files is to buy a decryption key.
The payment method is: Bitcoins.  The price is: 80$ USD = 0.01184434 Bitcoin
For instruction on recovery send an email to: [email protected]
We will reply within 48 hours. If we don't reply send email to [email protected]
DO NOT USE ANY ANTIVIRUS PROGRAMS. YOU WILL NOT BE ABLE TO RECOVER YOUR FILES!
Include this ID in the email you send to us: [id]

Associated Files:

README!!! ALL YOUR FILES HAVE BEEN SECURELY ENCRYPTED!!!.txt

 

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top