Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surprise Ransomware Support and Help Topic (.surprise, .tzu extension)


  • Please log in to reply
120 replies to this topic

#1 theeye23

theeye23

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 March 2016 - 08:59 PM

Good day,
 
Please help, all my pictures, videos, DWG , text and PDF files are encrypted. They all have the extension name .surprise e.g; mypicture.jpg.surprise
 
Then in my desktop, there are files with names surprise.exe, DECRYPTION_HOWTO.Notepad and Encrypted_Files.Notepad
 
This is the content of the ECRYPTION_HOWTO.Notepad:

What happened to your files ?
All of your files were protected by a strong encryption.
There is no way to decrypt your files without the key.
If your files not important for you just reinstall your system.
If your files is important just email us to discuss the price and how to decrypt your files.
You can email us to nowayout@protonmail.com and nowayout@sigaint.org
Write your Email to both email addresses PLS
We accept just BITCOIN if you dont know what it is just google it.
We will give instructions where and how you buy bitcoin in your country.
Price depends on how important your files and network is.it could be 0.5 bitcoin to 25 bitcoin.
You can send us a 1 encrypted file for decryption.
Feel free to email us with your country and computer name and username of the infected system.

 
Is there any decryption program for this? I do not have money to pay them.
 
This is the the result from virustotal when I upload the surprise.exe:
 
https://www.virustotal.com/en/file/ddb0c54759fada5cff7bb60237ace601fcbd526208627fdee170d9ed41e91c7a/analysis/

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

  • Security Colleague
  • 2,074 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 09 March 2016 - 09:06 PM

Can you submit that executable to Malwr.com, as well as the malware submission channel here on BC? You can submit it here and here for the crypto experts to look at. It would also be helpful if you could share a few sample encrypted files (preferably PNG or TXT), and if you have one with a clean copy (e.g. Windows sample pictures). Looks new so far from what you describe.

 

Sorry if I have to chuckle at the name of it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]


#3 theeye23

theeye23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 March 2016 - 09:23 PM

Can you submit that executable to Malwr.com, as well as the malware submission channel here on BC? You can submit it here and here for the crypto experts to look at. It would also be helpful if you could share a few sample encrypted files (preferably PNG or TXT), and if you have one with a clean copy (e.g. Windows sample pictures). Looks new so far from what you describe.

 

Sorry if I have to chuckle at the name of it.

Ok sir, thanks for the response, I will do it immidiately.

 

It's ok, when I first saw it, I also chuckle while getting angry at the same time.



#4 theeye23

theeye23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 March 2016 - 09:30 PM

This is the result from Malwr.com

 

https://malwr.com/analysis/YThkYzBkYzVmNjk1NGQ2YThhZDY2ZGIzYzg0MTkxZTU/

 

How to attached a file here? I want to show you the encrypted file.



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 AM

Posted 09 March 2016 - 09:32 PM

Ughh..it never ends. Looking at it.

#6 Demonslay335

Demonslay335

  • Security Colleague
  • 2,074 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 09 March 2016 - 09:32 PM

Thqnks, I'll take a look when I get home. You can upload the sample files to SendSpace.com and post links here. Don't share the malware that way for safety - I can get a dump from Malwr for my own analysis.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]


#7 theeye23

theeye23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 March 2016 - 09:48 PM

Here is the link of the encrypted files:

 

https://www.sendspace.com/filegroup/M%2BvZ58es1naPgC0N6iBfyF2ZDsx5wMgu5yr7Crsy%2FtQ

 

Thank you for the quick respnse.



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 AM

Posted 09 March 2016 - 11:28 PM

This one is interesting. The surprise.exe program does nothing but load a program from a base64 encoded string into memory and launch it from there. That program then performs the encryption. It looks like a HEAVILY modified EDA2 version.

Unfortunately, the C2 server appears to be down now.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 AM

Posted 09 March 2016 - 11:28 PM

theeye23, any idea where surprise.exe came from?

#10 Demonslay335

Demonslay335

  • Security Colleague
  • 2,074 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 09 March 2016 - 11:43 PM

So we are slowly seeing more sophistication with the EDA2 variants... Someone must be distributing forks or something. If the server is down, then the malware can't encrypt anymore... For now...

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 AM

Posted 09 March 2016 - 11:46 PM

theeye23, at this time there is not much we can do for you. The command & control server appears to be down and the encryption itself is secure. If the C2 comes up, we can try and do more.

#12 theeye23

theeye23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 10 March 2016 - 12:08 AM

theeye23, any idea where surprise.exe came from?

I do not know either. I can't remember any installation of any software or downloading any software before that happens. But I suspected that it came to a website, I'm running an auto-surf traffic exchanger overtime last night (on our time), and then this morning, I found that.

 

So we are slowly seeing more sophistication with the EDA2 variants... Someone must be distributing forks or something. If the server is down, then the malware can't encrypt anymore... For now...

 

theeye23, at this time there is not much we can do for you. The command & control server appears to be down and the encryption itself is secure. If the C2 comes up, we can try and do more.

 

Sigh, ok sir, I think after executing the program, it takes down the CC. But I'll wait for the further analysis of the malware. Thanks for the response.


Edited by theeye23, 10 March 2016 - 12:08 AM.


#13 Demonslay335

Demonslay335

  • Security Colleague
  • 2,074 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:55 AM

Posted 10 March 2016 - 01:32 AM

Yep, more AES256 and RSA-2048 action. It does attempt to delete shadow copies via a batch script it generates (and deletes after running). Skips Windows folder, Programs folders, and any directories with a $. It also skips directories deeper than 235 characters. Skips hidden files.
 
 
I recommend trying recovery tools such as Recuva and PhotoRec, always worth a shot.
 
Here's the full white-list of extensions it encrypts.
".asf", ".pdf", ".xls", ".docx", ".xlsx", ".mp3", ".waw", ".jpg", ".jpeg", ".txt", ".rtf", ".doc", ".rar", ".zip", ".psd", ".tif", ".wma", ".gif", ".bmp", ".ppt", ".pptx", ".docm", ".xlsm", ".pps", ".ppsx", ".ppd", ".eps", ".png", ".ace", ".djvu", ".tar", ".cdr", ".max", ".wmv", ".avi", ".wav", ".mp4", ".pdd", ".php", ".aac", ".ac3", ".amf", ".amr", ".dwg", ".dxf", ".accdb", ".mod", ".tax2013", ".tax2014", ".oga", ".ogg", ".pbf", ".ra", ".raw", ".saf", ".val", ".wave", ".wow", ".wpk", ".3g2", ".3gp", ".3gp2", ".3mm", ".amx", ".avs", ".bik", ".dir", ".divx", ".dvx", ".evo", ".flv", ".qtq", ".tch", ".rts", ".rum", ".rv", ".scn", ".srt", ".stx", ".svi", ".swf", ".trp", ".vdo", ".wm", ".wmd", ".wmmp", ".wmx", ".wvx", ".xvid", ".3d", ".3d4", ".3df8", ".pbs", ".adi", ".ais", ".amu", ".arr", ".bmc", ".bmf", ".cag", ".cam", ".dng", ".ink", ".jif", ".jiff", ".jpc", ".jpf", ".jpw", ".mag", ".mic", ".mip", ".msp", ".nav", ".ncd", ".odc", ".odi", ".opf", ".qif", ".xwd", ".abw", ".act", ".adt", ".aim", ".ans", ".asc", ".ase", ".bdp", ".bdr", ".bib", ".boc", ".crd", ".diz", ".dot", ".dotm", ".dotx", ".dvi", ".dxe", ".mlx", ".err", ".euc", ".faq", ".fdr", ".fds", ".gthr", ".idx", ".kwd", ".lp2", ".ltr", ".man", ".mbox", ".msg", ".nfo", ".now", ".odm", ".oft", ".pwi", ".rng", ".rtx", ".run", ".ssa", ".text", ".unx", ".wbk", ".wsh", ".7z", ".arc", ".ari", ".arj", ".car", ".cbr", ".cbz", ".gz", ".gzig", ".jgz", ".pak", ".pcv", ".puz", ".rev", ".sdn", ".sen", ".sfs", ".sfx", ".sh", ".shar", ".shr", ".sqx", ".tbz2", ".tg", ".tlz", ".vsi", ".wad", ".war", ".xpi", ".z02", ".z04", ".zap", ".zipx", ".zoo", ".ipa", ".isu", ".jar", ".js", ".udf", ".adr", ".ap", ".aro", ".asa", ".ascx", ".ashx", ".asmx", ".asp", ".indd", ".asr", ".qbb", ".bml", ".cer", ".cms", ".crt", ".dap", ".htm", ".moz", ".svr", ".url", ".wdgt", ".abk", ".bic", ".big", ".blp", ".bsp", ".cgf", ".chk", ".col", ".cty", ".dem", ".elf", ".ff", ".gam", ".grf", ".h3m", ".h4r", ".iwd", ".ldb", ".lgp", ".lvl", ".map", ".md3", ".mdl", ".nds", ".pbp", ".ppf", ".pwf", ".pxp", ".sad", ".sav", ".scm", ".scx", ".sdt", ".spr", ".sud", ".uax", ".umx", ".unr", ".uop", ".usa", ".usx", ".ut2", ".ut3", ".utc", ".utx", ".uvx", ".uxx", ".vmf", ".vtf", ".w3g", ".w3x", ".wtd", ".wtf", ".ccd", ".cd", ".cso", ".disk", ".dmg", ".dvd", ".fcd", ".flp", ".img", ".isz", ".mdf", ".mds", ".nrg", ".nri", ".vcd", ".vhd", ".snp", ".bkf", ".ade", ".adpb", ".dic", ".cch", ".ctt", ".dal", ".ddc", ".ddcx", ".dex", ".dif", ".dii", ".itdb", ".itl", ".kmz", ".lcd", ".lcf", ".mbx", ".mdn", ".odf", ".odp", ".ods", ".pab", ".pkb", ".pkh", ".pot", ".potx", ".pptm", ".psa", ".qdf", ".qel", ".rgn", ".rrt", ".rsw", ".rte", ".sdb", ".sdc", ".sds", ".sql", ".stt", ".tcx", ".thmx", ".txd", ".txf", ".upoi", ".vmt", ".wks", ".wmdb", ".xl", ".xlc", ".xlr", ".xlsb", ".xltx", ".ltm", ".xlwx", ".mcd", ".cap", ".cc", ".cod", ".cp", ".cpp", ".cs", ".csi", ".dcp", ".dcu", ".dev", ".dob", ".dox", ".dpk", ".dpl", ".dpr", ".dsk", ".dsp", ".eql", ".ex", ".f90", ".fla", ".for", ".fpp", ".jav", ".java", ".lbi", ".owl", ".pl", ".plc", ".pli", ".pm", ".res", ".rsrc", ".so", ".swd", ".tpu", ".tpx", ".tu", ".tur", ".vc", ".yab", ".aip", ".amxx", ".ape", ".api", ".mxp", ".oxt", ".qpx", ".qtr", ".xla", ".xlam", ".xll", ".xlv", ".xpt", ".cfg", ".cwf", ".dbb", ".slt", ".bp2", ".bp3", ".bpl", ".clr", ".dbx", ".jc", ".potm", ".ppsm", ".prc", ".prt", ".shw", ".std", ".ver", ".wpl", ".xlm", ".yps", ".1cd", ".bck", ".html", ".bak", ".odt", ".pst", ".log", ".mpg", ".mpeg", ".odb", ".wps", ".xlk", ".mdb", ".dxg", ".wpd", ".wb2", ".dbf", ".ai", ".3fr", ".arw", ".srf", ".sr2", ".bay", ".crw", ".cr2", ".dcr", ".kdc", ".erf", ".mef", ".mrw", ".nef", ".nrw", ".orf", ".raf", ".rwl", ".rw2", ".r3d", ".ptx", ".pef", ".srw", ".x3f", ".der", ".pem", ".pfx", ".p12", ".p7b", ".p7c", ".jfif", ".exif", ".rar"

Edited by Demonslay335, 10 March 2016 - 02:27 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]


#14 theeye23

theeye23
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 10 March 2016 - 02:24 AM

Ah, that's why I don't see a shadow copy. I also try to recover using recuva and engage a a deep scan, but there is no deleted files shown,  :ranting:  this ransomware.


Edited by theeye23, 10 March 2016 - 02:24 AM.


#15 jimyolsen

jimyolsen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 10 March 2016 - 08:51 PM

Hello all,

I found this topic because i was searching for some info about the surprise encrypt virus / ransomware. 

 

I have been infected today and right now i have too many files encrypted with the .surprise extension.

 

I think i stoped the encryption proccess before its end because i killed the surprise.exe process and it stops in the middle of an images folder in my 4th hdd (see image)

 

LlWob8Z.jpg

 

 

I am trying with recuva software but not luck. 

 

I would appreciate any help and also i can provide any information you like to try to find a decryption key a help everybody.

 

For your info i run my on wamp server in my pc to test web applications locally. I dont know how can i get infected. The time it seems to start encrypting files i wasnt working with it. I had stopped working like an hour before and started again an hour after start approximately.

 

Thank you very much for your help

Best regards

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users