2019-06-07-maze-ransomware-notes.vk.txt

//SHA-256: 639af330da2d4389a6ecb1c3e26e5449c3c4fae7f198d158cbcdadc9466d1bcc
//h/t @malwrhunterteam

Possible version 1.0.2

Oddity:
AhnLab
"select * From AntiVirusProduct"

Whitelisted Directories:

:\\Windows
\\Program Files
\\Games\\
\\Tor Browser\\
\\ProgramData\\
\\cache2\\entries\\
\\Low\\Content.IE5\\
\\All Users

Whitelisted Files:

autorun.inf
boot.ini
desktop.ini
ntuser.dat
concache.db
bootsect.bak
ntuser.dat.log
thumbs.db
Bootfont.bin

Stats Request Builder:

.php
.asp
.aspx
.cgi
.jsp
.jspx
.action
.html
.phtml
.shtml
news
login
register
logout
edit
content
private
messages
account
view
webauth
webaccess
archive
forum
post
signin
signout
update
support
ticket
task
tracker
analytics
check
checkout
payout
withdrawal
sepa
create
transfer
wire

Ransomware Note (koreadec@tutanota.com) & IP:

<head>
<script>

function CopyToClipboard(containerid) {
  if (document.selection) {
    var range = document.body.createTextRange();
    range.moveToElementText(document.getElementById(containerid));
    range.select().createTextRange();
    document.execCommand("copy");

  } else if (window.getSelection) {
    var range = document.createRange();
    range.selectNode(document.getElementById(containerid));
    window.getSelection().addRange(range);
    document.execCommand("copy");
    alert("Base64 copied into the clipboard!")
  }
}

</script>
<style>
 html{ margin:0; padding:0; width:100%; height:100%; }
 body {  background: #000000; color: #ececec; font-family: Consolas };

.tooltip {
  position: relative;
  display: inline-block;
  border-bottom: 1px dotted black;
}

.tooltip .tooltiptext {
  visibility: hidden;
  width: 120px;
  background-color: #555;
  color: #fff;
  text-align: center;
  border-radius: 6px;
  padding: 5 px 0;
  position: absolute;
  z-index: 1;
  bottom: 125%;
  left: 50%;
  margin-left: -60px;
  opacity: 0;
  transition: opacity 0.3s;
}

.tooltip .tooltiptext::after {
  content: "";
  position: absolute;
  top: 100%;
  left: 50%;
  margin-left: -5px;
  border-width: 5px;
  border-style: solid;
  border-color: #555 transparent transparent transparent;
}

.tooltip:hover .tooltiptext {
  visibility: visible;
  opacity: 1;
}

p#base64{

    -ms-word-break: break-all;
    word-break: break-all;

    -webkit-hyphens: auto;
       -moz-hyphens: auto;
        -ms-hyphens: auto;
            hyphens: auto;
}

p#base64:hover{
	cursor: hand;
}
</style>
</head>
<body>

<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">


<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><b>Maze ransomware</b></p>

<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>

</div>

<div style="text-align: center; font-size: 18px;">
<p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p>

<p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p>
<p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p>
<p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p>
<p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p>
<p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>%EMAIL_ADDRESS%</b></u>

<p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
<p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">%BASE64_PLACEHOLDER%<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>jQMain e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc

92.63.8.47
92.63.32.2
92.63.37.100
92.63.194.20
92.63.17.245
92.63.32.55
92.63.11.151
92.63.194.3
92.63.15.8
92.63.29.137
92.63.32.57
92.63.15.56
92.63.11.151
92.63.32.52
92.63.15.6
	//SHA-256: 639af330da2d4389a6ecb1c3e26e5449c3c4fae7f198d158cbcdadc9466d1bcc
	//h/t @malwrhunterteam

	Possible version 1.0.2

	Oddity:
	AhnLab
	"select * From AntiVirusProduct"

	Whitelisted Directories:

	:\\Windows
	\\Program Files
	\\Games\\
	\\Tor Browser\\
	\\ProgramData\\
	\\cache2\\entries\\
	\\Low\\Content.IE5\\
	\\All Users

	Whitelisted Files:

	autorun.inf
	boot.ini
	desktop.ini
	ntuser.dat
	concache.db
	bootsect.bak
	ntuser.dat.log
	thumbs.db
	Bootfont.bin

	Stats Request Builder:

	.php
	.asp
	.aspx
	.cgi
	.jsp
	.jspx
	.action
	.html
	.phtml
	.shtml
	news
	login
	register
	logout
	edit
	content
	private
	messages
	account
	view
	webauth
	webaccess
	archive
	forum
	post
	signin
	signout
	update
	support
	ticket
	task
	tracker
	analytics
	check
	checkout
	payout
	withdrawal
	sepa
	create
	transfer
	wire

	Ransomware Note (koreadec@tutanota.com) & IP:

	<head>
	<script>

	function CopyToClipboard(containerid) {
	if (document.selection) {
	var range = document.body.createTextRange();
	range.moveToElementText(document.getElementById(containerid));
	range.select().createTextRange();
	document.execCommand("copy");

	} else if (window.getSelection) {
	var range = document.createRange();
	range.selectNode(document.getElementById(containerid));
	window.getSelection().addRange(range);
	document.execCommand("copy");
	alert("Base64 copied into the clipboard!")
	}
	}

	</script>
	<style>
	html{ margin:0; padding:0; width:100%; height:100%; }
	body { background: #000000; color: #ececec; font-family: Consolas };

	.tooltip {
	position: relative;
	display: inline-block;
	border-bottom: 1px dotted black;
	}

	.tooltip .tooltiptext {
	visibility: hidden;
	width: 120px;
	background-color: #555;
	color: #fff;
	text-align: center;
	border-radius: 6px;
	padding: 5 px 0;
	position: absolute;
	z-index: 1;
	bottom: 125%;
	left: 50%;
	margin-left: -60px;
	opacity: 0;
	transition: opacity 0.3s;
	}

	.tooltip .tooltiptext::after {
	content: "";
	position: absolute;
	top: 100%;
	left: 50%;
	margin-left: -5px;
	border-width: 5px;
	border-style: solid;
	border-color: #555 transparent transparent transparent;
	}

	.tooltip:hover .tooltiptext {
	visibility: visible;
	opacity: 1;
	}

	p#base64{

	-ms-word-break: break-all;
	word-break: break-all;

	-webkit-hyphens: auto;
	-moz-hyphens: auto;
	-ms-hyphens: auto;
	hyphens: auto;
	}

	p#base64:hover{
	cursor: hand;
	}
	</style>
	</head>
	<body>

	<table style="position: absolute;" width="100%">
	<tr>
	<td style="width: 25%;">


	<td style="width: 50%;">
	<div style="text-align: center; font-size: 20px;">
	<p><b>Maze ransomware</b></p>

	<p>*********************************************************************************************************************</p>
	<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
	<p>*********************************************************************************************************************</p>

	</div>

	<div style="text-align: center; font-size: 18px;">
	<p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p>

	<p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p>
	<p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p>
	<p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p>
	<p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p>
	<p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>%EMAIL_ADDRESS%</b></u>

	<p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
	<p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p>
	<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
	<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
	<p>Base64: </p>
	</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">%BASE64_PLACEHOLDER%<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>jQMain e-mail: koreadec@tutanota.com<br>Reserve e-mail: yourrealdecrypt@airmail.cc

	92.63.8.47
	92.63.32.2
	92.63.37.100
	92.63.194.20
	92.63.17.245
	92.63.32.55
	92.63.11.151
	92.63.194.3
	92.63.15.8
	92.63.29.137
	92.63.32.57
	92.63.15.56
	92.63.11.151
	92.63.32.52
	92.63.15.6