Skip to main content

Iran-Centric Threat Research of the Recent Years

· 22 min read
Mert Degirmenci

Introduction


We have all watched Albania's response to the recent cyber attacks on the country after they are attributed to Iranian actors by the public and private sectors. The answer itself was very big and bold, I guess it is one of a kind.

But it isn't the start of the conflict, especially the Arabian Peninsula didn't settle down, and it seems that it isn't going to be soon. And the Albanian case isn't the single attack we can discuss. There are many more attacks with various objectives, from hacktivism to espionage and destruction. Even one that causes physical damage.

I want to deepen more about what is happening physically and digitally and their cause-and-effect relation. The timeline of recent years might help to answer these and, of course, create new ones.



People


Sayyid Ali Hosseini Khamenei

He is the second and current supreme leader of Iran since 1989. [1]


Glossary


Mujahedin-e-Khalq (MEK)

The MEK is an Iranian political-militant organization founded on 5 September 1965. In the 1970s, the organization contributed to the overthrow of the Shah during the Iranian Revolution. It subsequently pursued the establishment of a democracy in Iran. But by 1981, authorities had banned the MEK. In 1983, the MEK started an alliance with Iraq and then sided with them during the Iran-Iraq war.

Following the occupation of Iraq by U.S.-led coalition forces in 2003, the MEK signed a ceasefire agreement with the U.S. and put down their arms in Camp Ashraf. However, the European Union, Canada, the United States, and Japan have previously listed the MEK as a terrorist organization.

In 2013, the United States requested that the MEK relocate to Albania and the MEK eventually agreed to move about 3,000 members to Albania [2].

Shamoon

It is a wiper malware against Saudi Arabia's Saudi Aramco in 2012. It utilizes EldoS RawDisk Driver for accessing the disk.

A group named "Cutting Sword of Justice" claimed responsibility for the attack. [3]

OilRig

It is a suspected Iranian threat group that has been active since at least 2014. The group is also known as APT34, Helix Kitten, and ITG13. [4]



Timeline


I've tried to collect significant physical or digital events chronologically:



Relation Graph


Visualize form of the attacks that are listed above is as follows:

Attack graph



Conclusion


As grugq perfectly summarizes in his blog post, the community was waiting to see cutting-edge cyber weapons in Ukraine War [39]. But in this region, things are moving on the edge already. Physical and digital mixed significantly with each other. The whole timeline is just a showcase for cause and effect.

I think material-wise wealth is vast in this subject matter. It is possible to dive deep from various technical or international relations perspectives.

At the end of this research, what fascinates me is the mysterious threat actor that I briefly discuss below. The TTP is interesting, and I plan to look further into profiling it. This is going to be a fun chase for me.



References


  1. https://en.wikipedia.org/wiki/Ali_Khamenei
  2. https://en.wikipedia.org/wiki/People%27s_Mojahedin_Organization_of_Iran
  3. https://en.wikipedia.org/wiki/Shamoon
  4. https://attack.mitre.org/groups/G0049/
  5. https://www.ibm.com/downloads/cas/OAJ4VZNJ
  6. https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/
  7. https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
  8. https://www.justice.gov/opa/pr/united-states-seizes-27-additional-domain-names-used-iran-s-islamic-revolutionary-guard-corps
  9. https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/
  10. https://apnews.com/article/middle-east-technology-iran-a1690f768777b25bc8a8fe6d94bf8669
  11. https://www.reuters.com/world/middle-east/iran-transport-ministry-hit-by-second-apparent-cyberattack-days-2021-07-10/
  12. https://old.iranintl.com/en/iran/hackers-release-security-footage-iran%E2%80%99s-evin-prison
  13. https://apnews.com/article/business-middle-east-iran-dubai-united-arab-emirates-0342c10733bc89379e00d99152fe7a1f
  14. https://www.timesofisrael.com/amid-ongoing-cyberwar-iran-uses-new-tactic-doxing-israeli-foes/
  15. https://www.cisa.gov/uscert/ncas/alerts/aa21-321a
  16. https://www.jpost.com/breaking-news/irans-mahan-air-hit-by-cyberattack-685575
  17. https://www.jpost.com/middle-east/iranian-websites-hacked-to-show-death-to-khamenei-message-686911
  18. https://apnews.com/article/middle-east-television-iran-media-dubai-ff21e219297a7b84c37e088a64c0d895
  19. https://www.iranintl.com/en/202202012324
  20. https://www.jpost.com/middle-east/article-695837
  21. https://english.mojahedin.org/news/iran-despite-utilizing-all-resources-after-12-days-regimes-radio-and-tv-networks-have-not-returned-to-a-normal-status/"
  22. https://www.jpost.com/breaking-news/article-705021
  23. https://www.jpost.com/middle-east/article-708830
  24. https://apnews.com/article/politics-iran-middle-east-dubai-united-arab-emirates-f9b79784cba77adcf8c88dafde11ee84
  25. https://www.iranintl.com/en/202207026443
  26. https://apnews.com/article/technology-middle-east-iran-dubai-b0404963ae23e5008439a0b607952de1
  27. https://www.iranintl.com/en/202207032504
  28. https://albaniandailynews.com/news/cyber-attacks-forces-akshi-close-government-online-systems
  29. https://en.mfa.ir/files/mfaen/s.pdf
  30. https://al.usembassy.gov/security-alert-threat-targeting-the-free-iran-world-summit-july-21-2022/
  31. https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against
  32. https://abcnews.go.com/International/wireStory/terror-threat-cancels-iranian-oppositions-summit-albania-87267980
  33. https://english.alarabiya.net/News/world/2022/09/10/Albania-suffers-renewed-cyberattack-blames-Iran-Interior-ministry
  34. https://home.treasury.gov/news/press-releases/jy0948
  35. https://media.defense.gov/2022/Sep/14/2003076379/-1/-1/0/CSA_IRGC.PDF
  36. https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors
  37. https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
  38. https://www.iranintl.com/en/202210085084
  39. https://grugq.substack.com/p/albanian-cyber-war


Annex I: Mysterious Iran-Nexus Threat Actor


In IBM's ZeroCleare report from 2020:

  • Initial access of the attack was attributed to ITG13(APT34),
  • Destructive portion of the attack was attributed to a likely Iranian-based actor,
  • The wiper utilized EldoS RawDisk Driver,
  • Initial access and destructive attack are approximately one year apart.

In Saudi Arabia's National Cybersecurity Authority's report about Dustman in 2020 :

  • Artifacts that show early signs of compromise of the network that dates back a few months before the destructive attack,
  • Urgency on executing the files on the date of the attack is assessed,
  • The wiper utilized EldoS RawDisk Driver.

In Microsoft's report about the Albanian case:

  • 4 different Iranian-based actors are identified,
  • Initial access and exfiltrating data is moderately attributed to EUROPIUM(APT34),
  • Ransomware and wiper part of the attack is attributed to DEV-0842,
  • The wiper utilized EldoS RawDisk Driver.

Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, the DEV reference is converted to a named actor.


In CISA's alert related to the Albanian attack:

  • The ransomware & wiper attack is approximately 14 months after the initial compromise.

According to Microsoft's report, they aren't under the EUROPIUM umbrella but another same-level cluster.

The group's motivation is to achieve a destructive impact on the targeted systems. Even though their toolkit has malware that acts like ransomware, it isn't most likely used for ransom in the Albanian case.

I do have a minimal dataset that is related to the attacks. According to them, the targets are the countries that they evaluated as a rival to the Islamic State in one way or another. And they attack targeted countries' governments and the energy sector.

There is a pattern that they don't bother at the early stage of the attacks, and they just come to the scene at the end. Also, we know from the CISA's report they connected to the victim's network via RDP.

Saudi Arabia's report doesn't include a threat actor, but the other attacks start with APT34 and end with this group. And there are months between the start and end.


TTP

  • Leveraging customized versions of the open-sourced project TDL to load EldoS RawDisk Driver in 64 bits Windows,
  • Using PE's resources section for the next steps of the attack vector, the data is XOR encrypted,
  • Signing the tools with an invalid digital certificate,
  • Utilizing EldoS RawDisk driver to gain destructive achievements,
  • The license key for the EldoS RawDisk driver is: b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d.

ROADSWEEP

  • A ransomware,
  • Initially controls the passed arguments count, and if it is less than the limit(changes sample to sample), the ransomware part isn't executed,
  • Checks mutex(the value is different in each sample),
  • Strings are dynamically decrypted with the RC4 algorithm,
  • Tries to mount each volume,
  • Creates a cmd.exe and executes a batch script through a PIPE,
  • Connects to the victim network remotely with valid credentials,
@for /F \"skip=1\" %C in ('wmic LogicalDisk get DeviceID') do (@wmic /namespace:\\\\root\\default Path SystemRestore Call disable \"%C\\\" & @rd /s /q %C\\$Recycle.bin)\r\n@vssadmin.exe delete shadows /all /quiet\r\n@set SrvLst=vss sql svc$ memtas mepos sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService ntuit.QuickBooks.FCS QBCFMonitorService YooBackup YooIT zhudongfangyu sophos stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeployment
  • File name of the ransom note is How_To_Unlock_MyFiles.txt
  • Appends .lck to the encrypted files' name's end,

ZeroCleare

  • A wiper that utilizes EldoS RawDisk,
  • Opens handle to the driver by passing a path with EldoS license key,
  • Wipes the corresponding path via the driver.


Annex II: IOC


  • becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86
  • 2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d
  • 563653399b82cd443f120eceff836ea3678d4cf11d9b351bb737573c2d856299
  • a1029d20f595ff92746fd9d1d351a215cdffbdd7f0b19ba1859f1c211fddc060
  • f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7
  • 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2
  • e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0
  • f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5
  • 63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9
  • 2dbc6845ac4396b0168442a896a527988850fe6e327350d9f49ade0b63eb4dc8
  • f932a4bb7803d2e965e7aeeba07542c69cc4def10efe11bc64a9ef23a0a9b9bb
  • d8ec8ec8dfa582c44e81b8a7fcc44defc3d2fa658f75fa495124aedc3b0db367
  • 8ad01b028e6aa711d26879d346a7bef82516e372e0f14e8e69db6aef0f25d992
  • 790f344d1ae2e19135a2df0ae99b9d3f9d2ba08465e8169a69dd8dcedd2698e0


Annex III: YARA


rule ROADSWEEP
{
meta:
author = "r00tten"
description = "ROADSWEEP ransomware"
hash1 = "8ad01b028e6aa711d26879d346a7bef82516e372e0f14e8e69db6aef0f25d992"
hash2 = "790f344d1ae2e19135a2df0ae99b9d3f9d2ba08465e8169a69dd8dcedd2698e0"
hash3 = "f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5"
date = "08.10.2022"
version = "1.0"

strings:
$s1 = {54 68 65 20 66 6F 72 6D 61 74 20 6F 66 20 74 68 65 20 [2-5] 20 66 69 6C 65 20 69 6E 20 6E 6F 74 20 76 61 6C 69 64 2E 0D 0A 28 31 2C 32 29 3A 3A 45 72 72 6F 72 3A 20 69 6E 63 6F 72 72 65 63 74 20 64 6F 63 75 6D 65 6E 74 20 73 79 6E 74 61 78}
$s2 = "All Files (*.*)"
$s3 = "*.xml"

condition:
uint16(0) == 0x5a4d
and
all of ($s*)
}

import "pe"

rule resource_extract
{
meta:
author = "r00tten"
description = "The malware that extracts pe files from the resources in Dustman and 2019 ZeroCleare cases."
hash1 = "563653399b82cd443f120eceff836ea3678d4cf11d9b351bb737573c2d856299"
hash2 = "f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7"
hash3 = "2dbc6845ac4396b0168442a896a527988850fe6e327350d9f49ade0b63eb4dc8"
date = "08.10.2022"
version = "1.0"

strings:
$h1 = {49 b9 ?? ?? ?? ?? ?? ?? ?? ?? 44 8b c0 49 c1 e8 03 48 8b 14 08 83 c0 08 49 33 d1}

$s1 = "Software\\Oracle\\VirtualBox" wide
$s2 = "VBoxUSBMon" wide
$s3 = "VBoxNetAdp" wide
$s4 = "VBoxNetLwf" wide
$s5 = "saddrv.sys"
$s6 = "assistant.sys" wide
$s7 = "VBoxDrv" wide
$s8 = "elrawdsk.sys" wide
$s9 = "Dustman"

condition:
uint16(0) == 0x5a4d
and
$h1 or 5 of ($s*)
and
for any i in (0..pe.number_of_resources-1) : ( pe.resources[i].type == 10 )
}

rule ZeroCleare
{
meta:
author = "r00tten"
description = "A rule to detect ZeroCleare malware."
hash1 = "becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86"
hash2 = "e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0"
hash3 = "2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d"
hash4 = "d8ec8ec8dfa582c44e81b8a7fcc44defc3d2fa658f75fa495124aedc3b0db367"
date = "11.10.2022"
version = "1.1"

strings:
$h1 = "b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d" wide nocase

$s1 = "\\??\\" wide
$s2 = "CONOUT$" wide
$s3 = { 84 bf 22 00 }
$s4 = { 5c 40 07 00 }
$s5 = { a0 00 07 00 }
$s6 = { 00 00 07 00 }

condition:
uint16(0) == 0x5a4d
and
all of ($h*)
and
3 of ($s*)
}


Annex IV: ATLAS

meta:
name: "8oct_resourceExtract_dustman"
description: "A rule to find and decrypt single-byte encrypted resources that are used in Dustman case."
hash1: "f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7"
hash2: "563653399b82cd443f120eceff836ea3678d4cf11d9b351bb737573c2d856299"
author: "r00tten"
version: "1.0"

scripts:
decrypt_resource: "ZGVmIGRlY3J5cHRfcmVzb3VyY2UoYXJyOiBsaXN0LCB4b3Jfa2V5OiBsaXN0KSAtPiBsaXN0Og0KICAgIHJlc3VsdCA9IFtdDQoNCiAgICBmb3IgZGF0YSBpbiBhcnI6DQogICAgICAgIGZvciBrZXkgaW4geG9yX2tleToNCiAgICAgICAgICAgIGlmIDc3ID09IChkYXRhWzBdIF4ga2V5KToNCiAgICAgICAgICAgICAgICB0ZW1wID0gW10NCiAgICAgICAgICAgICAgICBmb3IgaSBpbiBkYXRhOg0KICAgICAgICAgICAgICAgICAgICB0ZW1wLmFwcGVuZChpIF4ga2V5KQ0KICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICByZXN1bHQuYXBwZW5kKGJ5dGVzKHRlbXApKQ0KDQogICAgcmV0dXJuIHJlc3VsdA=="
find_xor_key: "aW1wb3J0IHJlDQoNCmRlZiBmaW5kX3hvcl9rZXkoZGF0YTogYnl0ZXMpIC0+IGxpc3Q6DQogICAgcmVzdWx0ID0gW10NCg0KICAgIGFyciA9IHJlLmZpbmRhbGwoYicoKD88PVx4NDlceGI5KVtceDAxLVx4ZmZdezh9KScsIGRhdGEpDQoNCiAgICBmb3IgaSBpbiBhcnI6DQogICAgICAgIHJlc3VsdC5hcHBlbmQoaW50KGlbMF0pKQ0KDQogICAgcmV0dXJuIHJlc3VsdA=="
resource_extract: "aW1wb3J0IHBlZmlsZQ0KDQpkZWYgcmVzb3VyY2VfZXh0cmFjdChkYXRhOiBieXRlcykgLT4gbGlzdDoNCiAgICByZXN1bHQgPSBbXQ0KICAgIFJWQV9yc3JjID0gLTENCg0KICAgIHBlID0gcGVmaWxlLlBFKGRhdGE9ZGF0YSkNCg0KICAgIGZvciBzZWN0aW9uIGluIHBlLnNlY3Rpb25zOg0KICAgICAgICBpZiAiLnJzcmMiIGluIHNlY3Rpb24uTmFtZS5kZWNvZGUoJ3V0ZjgnKToNCiAgICAgICAgICAgIFJWQSA9IGludChoZXgoc2VjdGlvbi5WaXJ0dWFsQWRkcmVzcyksIDE2KSAtIGludChoZXgoc2VjdGlvbi5Qb2ludGVyVG9SYXdEYXRhKSwgMTYpDQoNCiAgICBmb3IgZW50cnkgaW4gcGUuRElSRUNUT1JZX0VOVFJZX1JFU09VUkNFLmVudHJpZXM6DQogICAgICAgIGZvciBkaXJlY3RvcnkgaW4gZW50cnkuZGlyZWN0b3J5LmVudHJpZXM6DQogICAgICAgICAgICBmb3IgcmVzb3VyY2UgaW4gZGlyZWN0b3J5LmRpcmVjdG9yeS5lbnRyaWVzOg0KICAgICAgICAgICAgICAgIGlmIGVudHJ5LnN0cnVjdC5JZCA9PSAxMDoNCiAgICAgICAgICAgICAgICAgICAgb2Zmc2V0ID0gcmVzb3VyY2UuZGF0YS5zdHJ1Y3QuT2Zmc2V0VG9EYXRhDQogICAgICAgICAgICAgICAgICAgIHNpemUgPSByZXNvdXJjZS5kYXRhLnN0cnVjdC5TaXplDQogICAgICAgICAgICAgICAgICAgIHJlYWxfb2Zmc2V0ID0gb2Zmc2V0IC0gUlZBDQoNCiAgICAgICAgICAgICAgICAgICAgcmVzdWx0LmFwcGVuZChkYXRhW3JlYWxfb2Zmc2V0OnJlYWxfb2Zmc2V0ICsgc2l6ZV0pDQoNCiAgICByZXR1cm4gcmVzdWx0DQo="

chain:
s1:
input: $param.file
func: file_read_bin

s2:
input:
- $scripts.resource_extract
- $s1
func: python_executor

s3:
input:
- $scripts.find_xor_key
- $s1
func: python_executor

s4:
input:
- $scripts.decrypt_resource
- $s2
- $s3
func: python_executor

s5:
input: $s4
func: save_file_arr




Annex V: Ransom Notes


8ad01b028e6aa711d26879d346a7bef82516e372e0f14e8e69db6aef0f25d992:

    |--------------------------------------------------------------------------|
|Shqipëria ende po paguan për aktet terroriste të kultit MEK në Durrës; |
|Dhe kjo lojë do të vazhdojë ... |
|--------------------------------------------------------------------------|
|Albania is still paying for the terrorist acts of the MEK cult in Durres; |
|And this game WILL continue ... |
|--------------------------------------------------------------------------|
:@@@@@@.
@@@+ -@@-
+%... #@@@ %@@
:@@..:+%@@@@@@@@. .@@.
@. +@@@@. @@.
=% -@@@ @@
@@@@@@@@@@@@@@@@%- %@ @@
%@@- -@@@@@: .@ .@%
:*%@@@# -@@# # *@.
@@@@@@@@@#: *@# @@@@@@@*=
@@@@@@@@@@-:#@@ #@: #@ -@@+
:@@@@+#@@@ .@% @# .@+ .@#
@: *@@@@%#=. +@ %@ @% * -@.
#@@@@@@ .*@@= .= +@ @@...: .@
@@:@@@ .# %% @% :@
+= %@@ -*%@@@@#= @- @. @:
:@@ -@ @ = .@
@ :#@@+ @@@@@@@= :--= % @
= *@@% -@. = @@@@@@@@@- @ @ @
@@%@ @@ @ @@@@@@@@@@.. @ @
@ @@ #..-# @@@@@@@@@@@ @@ # @
@ +@ @ @ . %@@@ :@@:-@@% @
@@@ @ @ @ @ @@ @@@@@ @
@@% @ @ @ . *@ @@@ +
* @- @ @ =. @% @@.......@#....-@@@........... #
:* @@@ @@ @ = -@- @ @
#. @ @ @%.@ : @+ -
@ - @ @@ # @. : * @
@ @ =% # *#@ # +: = +
:@- - *-@@ + @
@@ %@ +@. + =
@@ . # @#: == @ : @
@* = = #+@ @ +@@@%*+****%@.%******#% +====%%%%==+* *
*@ @ @ @ @ :@ @:@@ + :
@% *%:% @ @ @=@ @@@ @
@: @=%%:@ @ @= @@@ @
@ @.@%.@ @ %@ @@- - -
@ @ @@ @ @- @@@ %@@ . . -
@ @-@@@@@@@ @. @@*@*-: . - *
@%@@@+ :@* =@@ %=@ : - @
@@ = .@@ @ @ *@ @. % + .++++++@@@@@@++++++++++. @
* .#@ +@@.@ = @
% # +@*@@ * - @
% %@@% @ -@ % . . @
# * +: @ @
= = +@ . . @
@ -@.: ::.: @
.:=====================@=@: .::: . %
* + .:::::. - .
@ :::::::::: - .
@ : :::::::::: - @
+ =*************************** ::::*@:::: +++++++++++++++++ @
- ::::::@+@@ . *
@ :::::%:=-: =
# :::::%@=*: = @
+ :****%@@@@@%*********** ::::@@@: .=+++++++= +
@ = .::@-* + @
: %
@ % . - * %
- - % #
@ + @
@ . . ::
.: ###########################+ . %
% # @
@ #
@ ------------------------%= :::::::::::::::* *
@. @
=@ @homelandjustice -@
@. www.homelandjustice.ru @.
:@ @+
:@. @#
=@@. .@@@#
$ # @ @ @ - @ @ @- @ - @#
[Your Recovery Keys]

790f344d1ae2e19135a2df0ae99b9d3f9d2ba08465e8169a69dd8dcedd2698e0:

_____________________________________________________________________________________________________________________________
_______________¶¶¶_______________¶¶¶_________________________________________________________________________________________
___¶¶______¶_¶¶¶ö¶¶¶¶¶¶_____¶¶¶¶¶¶¶ö¶¶_¶______¶¶__ "Të gjithë skedarët tuaj janë të koduar me enkriptim RSA-2048.
___¶¶¶_____¶¶¶¶¶¶¶¶¶¶¶¶_____¶¶¶¶¶¶¶¶¶¶¶¶____¶¶¶¶__ Nuk është e mundur të rikuperoni skedarët tuaj pa një çelës privat.
____¶¶¶¶¶_______¶¶¶¶¶¶¶____¶¶¶¶¶¶¶¶_______¶¶¶¶¶___ Duhet të na telefononi për të marrë TË GJITHË Çelësat Privatë
______¶¶¶¶¶¶¶¶¶¶___¶¶¶¶¶___¶¶¶¶¶___¶¶¶¶¶¶¶¶¶¶_____ për TË GJITHË PC-të e prekur."
___¶¶______¶¶¶¶¶¶¶___¶¶¶¶¶¶¶¶¶___¶¶¶¶¶¶¶______¶¶_____________________________________________________________________________
____¶¶¶¶¶¶¶¶¶¶¶¶¶¶___¶¶¶¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶______________________________________________________________________________
______¶¶¶¶_¶¶¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶__¶¶¶¶¶¶¶__¶¶¶¶_____ 0682031701
___¶¶¶¶___¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶___¶¶¶¶__ 0682099450
_____¶¶¶¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶¶¶____ 0697047470
__________¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_________ 0682030272
___¶¶¶¶¶¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶¶¶¶¶_____________________________________________________________________________
_____¶¶___¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶__¶¶________________________________________________________________________________
___¶¶__¶¶¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶__¶¶___
___¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶__¶¶¶¶¶___ "Pse duhet të shpenzohen taksat tona në dobi të terroristëve të DURRESIT?"
_________¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶___________________________________________________________________________________
___¶¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶¶¶¶¶______________________________________________________________________________
____¶¶¶¶¶__¶¶__¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶__¶¶__¶¶¶¶____
_________¶¶¶__¶¶_¶¶_¶¶¶¶¶¶¶¶¶¶¶_¶¶_¶¶__¶¶¶________ "All your files are encrypted with RSA-2048 encryption.
____¶¶¶¶¶¶¶_¶¶¶____¶¶¶¶¶¶¶¶¶¶¶¶¶_¶__¶¶¶_¶¶¶¶¶¶¶___ It’s not possible to recover your files without private key.
____¶¶¶¶¶____¶___¶¶¶¶¶__¶¶¶__¶¶¶¶¶___¶____¶¶¶¶____ You must call us to receive ALL Private Keys for ALL affected PC’s."
_______________¶¶¶¶¶¶__¶¶¶¶¶__¶¶¶¶¶¶_________________________________________________________________________________________
______¶¶¶¶____¶¶¶¶¶¶___¶¶¶¶¶___¶¶¶¶¶¶____¶¶¶¶________________________________________________________________________________
___¶¶¶¶__¶¶¶¶¶¶___¶___¶¶¶¶¶¶¶___¶___¶¶¶¶¶¶__¶¶¶¶__ 0682031701
_______¶¶¶¶¶_¶¶¶____¶¶¶¶¶¶¶¶¶¶¶____¶¶¶¶_¶¶¶¶______ 0682099450
______¶¶¶_____¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶__¶¶_____¶¶¶_____ 0697047470
_____¶¶______________¶¶¶¶¶¶¶¶¶______________¶¶____ 0682030272
__________________¶¶¶¶_¶¶¶¶¶_¶¶¶¶____________________________________________________________________________________________
_____________________¶¶¶¶¶¶¶¶¶_______________________________________________________________________________________________
____________________¶¶__¶¶¶__¶¶___________________
_______________________¶¶¶¶¶______________________ "Why should our taxes be spent on the benefit of DURRES terrorists?"
________________________¶¶¶__________________________________________________________________________________________________
_____________________________________________________________________________________________________________________________
[Your Recovery Keys]

f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5:

_____________________________________________________________________________________________________________________________
_______________¶¶¶_______________¶¶¶_________________________________________________________________________________________
___¶¶______¶_¶¶¶ö¶¶¶¶¶¶_____¶¶¶¶¶¶¶ö¶¶_¶______¶¶__ "Të gjithë skedarët tuaj janë të koduar me enkriptim RSA-2048.
___¶¶¶_____¶¶¶¶¶¶¶¶¶¶¶¶_____¶¶¶¶¶¶¶¶¶¶¶¶____¶¶¶¶__ Nuk është e mundur të rikuperoni skedarët tuaj pa një çelës privat.
____¶¶¶¶¶_______¶¶¶¶¶¶¶____¶¶¶¶¶¶¶¶_______¶¶¶¶¶___ Duhet të na telefononi për të marrë TË GJITHË Çelësat Privatë
______¶¶¶¶¶¶¶¶¶¶___¶¶¶¶¶___¶¶¶¶¶___¶¶¶¶¶¶¶¶¶¶_____ për TË GJITHË PC-të e prekur."
___¶¶______¶¶¶¶¶¶¶___¶¶¶¶¶¶¶¶¶___¶¶¶¶¶¶¶______¶¶_____________________________________________________________________________
____¶¶¶¶¶¶¶¶¶¶¶¶¶¶___¶¶¶¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶______________________________________________________________________________
______¶¶¶¶_¶¶¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶__¶¶¶¶¶¶¶__¶¶¶¶_____ 0682031701
___¶¶¶¶___¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶___¶¶¶¶__ 0682099450
_____¶¶¶¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶¶¶____ 0697047470
__________¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_________ 0682030272
___¶¶¶¶¶¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶¶¶¶¶_____________________________________________________________________________
_____¶¶___¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶__¶¶________________________________________________________________________________
___¶¶__¶¶¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶__¶¶___
___¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶__¶¶¶¶¶___ "Pse duhet të shpenzohen taksat tona në dobi të terroristëve të DURRESIT?"
_________¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶___________________________________________________________________________________
___¶¶¶¶¶¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶¶¶¶¶¶______________________________________________________________________________
____¶¶¶¶¶__¶¶__¶¶_¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_¶¶__¶¶__¶¶¶¶____
_________¶¶¶__¶¶_¶¶_¶¶¶¶¶¶¶¶¶¶¶_¶¶_¶¶__¶¶¶________ "All your files are encrypted with RSA-2048 encryption.
____¶¶¶¶¶¶¶_¶¶¶____¶¶¶¶¶¶¶¶¶¶¶¶¶_¶__¶¶¶_¶¶¶¶¶¶¶___ It’s not possible to recover your files without private key.
____¶¶¶¶¶____¶___¶¶¶¶¶__¶¶¶__¶¶¶¶¶___¶____¶¶¶¶____ You must call us to receive ALL Private Keys for ALL affected PC’s."
_______________¶¶¶¶¶¶__¶¶¶¶¶__¶¶¶¶¶¶_________________________________________________________________________________________
______¶¶¶¶____¶¶¶¶¶¶___¶¶¶¶¶___¶¶¶¶¶¶____¶¶¶¶________________________________________________________________________________
___¶¶¶¶__¶¶¶¶¶¶___¶___¶¶¶¶¶¶¶___¶___¶¶¶¶¶¶__¶¶¶¶__ 0682031701
_______¶¶¶¶¶_¶¶¶____¶¶¶¶¶¶¶¶¶¶¶____¶¶¶¶_¶¶¶¶______ 0682099450
______¶¶¶_____¶¶__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶__¶¶_____¶¶¶_____ 0697047470
_____¶¶______________¶¶¶¶¶¶¶¶¶______________¶¶____ 0682030272
__________________¶¶¶¶_¶¶¶¶¶_¶¶¶¶____________________________________________________________________________________________
_____________________¶¶¶¶¶¶¶¶¶_______________________________________________________________________________________________
____________________¶¶__¶¶¶__¶¶___________________
_______________________¶¶¶¶¶______________________ "Why should our taxes be spent on the benefit of DURRES terrorists?"
________________________¶¶¶__________________________________________________________________________________________________
_____________________________________________________________________________________________________________________________
[Your Recovery Keys]


Annex VI: Additional References


Various sources weren't mentioned in this blog post, but I've used them to understand the status quo. I decided to attach them as well for the ones who would like to continue: