Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom32 Ransomware Support Topic


  • Please log in to reply
30 replies to this topic

#1 junkcan

junkcan

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 29 December 2015 - 04:59 PM

My computer was infected by a ransomware. I don't know the type or name of that ransomware.
 
I forgot to take screenshot.
 
And on the top of ransomware screen, it was written "ransom32". 
 
I was formatted C: drive and I installed Windows 10 again and now I cannot restore my system back.
 
I was trying Kaspersky Ransomware kit and other kits. I cannot open my pics, docs and mp3s.
 
Could you help me? I can send the encrypted files.
 
Sorry for my English.

BC AdBot (Login to Remove)

 


#2 billo1007

billo1007

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 29 December 2015 - 05:06 PM

 

My computer was infected by a ransomware. I don't know the type or name of that ransomware.

 

I forgot to take screenshot.

 

And on the top of ransomware screen, it was written "ransom32". 

 

I was formatted C: drive and I installed Windows 10 again and now I cannot restore my system back.

 

I was trying Kaspersky Ransomware kit and other kits. I cannot open my pics, docs and mp3s.

 

Could you help me? I can send the encrypted files.

 

Sorry for my English. 

 

 

your files are encrypted, if you do not have a backup you need to identify what ransomware it is and hope for one day that a decryptor is released.

teslacrypt is defined by VVV extensions, cryptowall4 is defined by random file names and random file extensions. 

 

If you have a backup reformat your computer and reinstall windows and reinstate the data manually. 

 
or pay the ransom.
 

 

 


Edited by billo1007, 29 December 2015 - 05:07 PM.


#3 junkcan

junkcan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 29 December 2015 - 05:15 PM

I have submited an encrypted file.

 

Because of the reinstallation of Windows. I cannot find a restore point. 

 

The names and extensions of files are same, but it cannot be opened. 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 45,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:25 PM

Posted 29 December 2015 - 05:16 PM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .encrypted, .crinf, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .EnCiPhErEd, .0x0, .bleep, .1999, {CRYPTENDBLACKDC}, .vault, .HA3, .toxcrypt, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, 
About_Files.txt, FILESAREGONE.TXT, IHAVEYOURSECRET.KEY, HELLOTHERE.TXT, SECRETIDHERE.KEY, 
READTHISNOW!!!.TXT, SECRET.KEY, HELPDECYPRT_YOUR_FILES.HTML, Help_Decrypt.txt
YOUR_FILES.HTML, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_.txt, RECOVERY_FILES.txt, help_decrypt_your_files.html
Howto_RESTORE_FILES_.txt, RECOVERY_FILE_.txt, restore_files_.txt, _how_recover_.txt
howto_recover_file_.txt, how_recover+****.txt, recover_file_*****.txt

Note: The (*) represents random characters which some ransom notes names may include.
Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of any suspicious executables (malicious files) that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 45,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:25 PM

Posted 29 December 2015 - 05:25 PM

...The names and extensions of files are same, but it cannot be opened.

What exactly are they?

Did you find a ransom note as I described above?
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#6 junkcan

junkcan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 29 December 2015 - 05:27 PM

I have formatted my C: hard disk and instal Windows 10 again. 

 

All the file extensions and file names are same, nothing was changed.

 

There were two countdown timers on the ransomware screen, one of them is about payment time (4 days), the other one is about deletion time. It was said "your files will be deleted in .... hours" (about 12 days).

 

I have sent the file to you before that topic. Now i will send it again. 



#7 junkcan

junkcan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 29 December 2015 - 05:33 PM

I sent an encrypted file to you.


Edited by junkcan, 29 December 2015 - 05:33 PM.


#8 junkcan

junkcan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 29 December 2015 - 05:50 PM

I am sending another file which is document.
Maybe it can be useful. In the document there are some chinese characters. But, the original document was Turkish. 


#9 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:25 PM

Posted 30 December 2015 - 04:30 AM

Looking into this one today.



#10 junkcan

junkcan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 December 2015 - 11:27 AM

I am waiting for your reply. Thank you



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 45,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:25 PM

Posted 30 December 2015 - 03:15 PM

Please be patient. Staff, Security Colleagues and Security Experts like Fabian Wosar are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community. This site receives hundreds of requests for help every day. New malware infections are released almost daily and it takes time for our volunteers to investigate before they can try to help anyone. We are grateful for whatever free work our volunteer Security Expert's can dedicate to investigating, analyzing and creating (when possible) fix tools that help so many of our members with malware related problems.

Thanks for understanding.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#12 junkcan

junkcan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 December 2015 - 03:57 PM

Thanks a lot for your interest.



#13 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:25 PM

Posted 30 December 2015 - 05:06 PM

To give you a quick update:

 

We did find the initial infection and are currently taking it apart. It is pretty unique to be honest and nothing that has been seen before, so the analysis will take a while unfortunately. xXToffeeXx and I try to get it done as quickly as possible and we will keep you posted.



#14 junkcan

junkcan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 December 2015 - 05:16 PM

Thank you very much. I will wait for your post. 

I hope, it will be solved.


Edited by junkcan, 30 December 2015 - 05:32 PM.


#15 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:06:25 PM

Posted 30 December 2015 - 05:16 PM

Can you please PM me a download link for the dropper, say, after uploading it to Mega?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users