I guess even ransomware developers do not like being called scammers as shown by a recent venting session by the King Ouroboros ransomware developer on Twitter.
Tweeted to ransomware researchers MalwareHunterTeam, Michael Gillespie, and Amigo-A, the ransomware developer is taking insult by some sites calling his software a scam and that paying the ransom wont get your files back. The ransomware developer on the other hand defends the malware, by trying to make it out like they are doing something good for their victims.
“From the beginning, we’ve already helped loads of people solving any of their issues regarding the decryption of their files, as well as spending time to code a standalone decryption tool for those who have deleted the original one,” stated the King Ouroboros ransomware dev. “We do also provide discounts to those who are able to prove any kind of financial problems they may have.”
After reading this, I could only think WTH!?!?! Here is a ransomware developer screwing people over and now we are supposed to feel bad that some site called his software a scam?
For those unfamiliar with the King Ouroboros ransomware, it is a AutoIt script compiled into an executable that when executed will encrypt a computer and insert the king_ouroboros string into the encrypted file’s name. For example, test.doc would be encrypted and renamed to test.king_ouroboros.doc.
The ransomware will also drop a ransom note named README!!! ALL YOUR FILES HAVE BEEN SECURELY ENCRYPTED!!!.txt that tells you to contact [email protected] or [email protected] for payment instructions.
The ransomware will also change the desktop background to a “hackerish” type background like the one below.
The last noticeable change it makes is to create a legal notice that is displayed to the user before they login into the computer.
Last, but not least, the ransomware developer appears to dislike President Trump based on the name of his Command & Control server’s domain and its title.
Ransom Note Text:
All your files have been encrypted! The encryption key has been sent online and is not public. You have 10 days time to contact us or you will lose your data. The only way you can recover your files is to buy a decryption key. The payment method is: Bitcoins. The price is: 80$ USD = 0.01184434 Bitcoin For instruction on recovery send an email to: [email protected] We will reply within 48 hours. If we don't reply send email to [email protected] DO NOT USE ANY ANTIVIRUS PROGRAMS. YOU WILL NOT BE ABLE TO RECOVER YOUR FILES! Include this ID in the email you send to us: [id]
README!!! ALL YOUR FILES HAVE BEEN SECURELY ENCRYPTED!!!.txt