Meldonii@india.com Ransomware
Posted: August 23, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 176 |
| First Seen: | August 23, 2016 |
|---|---|
| Last Seen: | May 3, 2019 |
| OS(es) Affected: | Windows |
The 'Meldonii@india.com' Ransomware is a Trojan that uses a cipher to encrypt your files and modifies their names to include an e-mail address for ransom negotiations. Since con artists may not honor their word and current samples of this threat lack a free decryption solution, PC owners can best protect their data by keeping regular backups. Malware experts recommend that you limit network and removable drive-based access to infected systems until you can remove the 'Meldonii@india.com' Ransomware through the proper anti-malware procedures.
A New Crisis Thanks to the Crysis Ransomware
Peripheral devices and spare PCs can be helpful for recovery from a threat attack, but, when used without care, can be just as useful to threatening software authors interested in spreading the scope of their original payloads. The 'Meldonii@india.com' Ransomware provides one scenario of how a file encrypting attack can expand beyond its initial impact. The 'Meldonii@india.com' Ransomware is a confirmed variant of the Crysis Ransomware family, albeit not a direct clone with a new e-mail address.
The 'Meldonii@india.com' Ransomware inserts Registry entries for enabling its auto-start whenever the system starts. After it launches, the 'Meldonii@india.com' Ransomware uses a combination of AES and RSA encryption techniques to encipher your files, excluding itself and content essential to your OS. Besides being encrypted, the data is also named to include the 'Meldonii@india.com' Ransomware's e-mail address and other details, such as an XTBL extension (also shared with the Troldesh Ransomware and other variants of these two families).
The initial damages the 'Meldonii@india.com' Ransomware causes are used to leverage extortion attempts, with the latest negotiations demanding sums of up to one thousand USD in the Bitcoin cryptocurrency. Malware experts also observed cases of the 'Meldonii@india.com' Ransomware initiating second-wave attacks against any newly-introduced drives, letting it encrypt the contents of USB devices and other PCs. Because these changes were not always immediate, the borders of a the 'Meldonii@india.com' Ransomware infection may grow significantly before its victims realize the extent of their mistake.
Canceling Your Files' Trip to India
The 'Meldonii@india.com' Ransomware shows few outward changes from other versions of the Crysis Ransomware. Even though its victims may think it no different from past Trojans, malware experts took notice of changes in its encryption methodology that could prevent previously viable decryptors from working against it. Although backups can restore the damaged data without requiring a decryption process, PC operators without backups are left paying con artists for a decryptor that may not work.
The 'Meldonii@india.com' Ransomware isn't verifiable as having any of the self-distributing features malware analysts most often see in worm-based threats. Its distribution methods hinge on flaws in the network and remote desktop security currently. Double-check all authorized access to remote desktop products and associated settings to limit the 'Meldonii@india.com' Ransomware's potential for spreading.
The early phases of the 'Meldonii@india.com' Ransomware's negotiations may resemble cooperative attempts to deliver decryption software for little or no cost. In most cases, con artists will introduce a high ransom fee only after gaining the victim's trust. For the indefinite future, malware experts recommend deleting the 'Meldonii@india.com' Ransomware and protecting both your files and your finances with a robust anti-malware product, rather than trusting a con artist's word.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload_c.exe
File name: Payload_c.exeSize: 320.51 KB (320512 bytes)
MD5: e6bd82f380eb0fab900c2b5ce462bd74
Detection count: 37
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: August 24, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload22.exe
File name: Payload22.exeSize: 274.73 KB (274734 bytes)
MD5: f44356480e91acef8f437440928030b4
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: August 24, 2016
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Payload00.exe
File name: Payload00.exeSize: 221.48 KB (221488 bytes)
MD5: 2fc8df6492276f287cdb916277fb0914
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: August 24, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload_c.exe
File name: Payload_c.exeSize: 323.25 KB (323254 bytes)
MD5: 98f0855d4021747730bec172c633a56b
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: August 24, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload88.exe
File name: Payload88.exeSize: 331.26 KB (331264 bytes)
MD5: bf7b15cb398ab411cb2e2201bfe20055
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: August 24, 2016