Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Attack


  • Please log in to reply
9 replies to this topic

#1 DrPCfix

DrPCfix

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great Neck, NY
  • Local time:04:12 AM

Posted 30 November 2010 - 05:45 PM

I just got in a PC in for repair with a Ransomware attack

Specs XP/SP3, running AVG 9

all files (doc, xls, txt, bmp, jpg etc) have been renamed and apparently encrypted
found on the desktop a txt file which demands $120 be sent to decrypt

renamed files all end in .ENCODED

RKILL finds nothing
Malwarebytes runs for 10 seconds and then exits in both regular and safe mode.

found on the desktop is a file (HOW TO DECRYPT FILES.txt) containing the following:

Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): datafinder@fastmail.fm

Edited by DrPCfix, 30 November 2010 - 08:49 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 AM

Posted 30 November 2010 - 09:54 PM

Sorry to report but this appears to be a new variant of the GpCode-like Ransomware. Sophas has named it Troj/Ransom-U and Kaspersky has named it Trojan-Ransom.Win32.GpCode.ax. Kaspersky also advises the chances of getting your data back are very low as the malware is using RSA-1024 and AES-256 crypto-algorithms. You can read more about the infection here.

It was just reported yesterday so security vendors are still trying to determine what approach to take. Kaspersky says they will keep posting more information as they continue their investigation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DrPCfix

DrPCfix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great Neck, NY
  • Local time:04:12 AM

Posted 01 December 2010 - 09:40 AM

Do you have a link to the Kaspersky posting? Any idea how this or any PC can get infected by this virus? Are any of the current AV vendors able to catch it before it does harm? I've visited multiple AV sites and have found no mention of it yet.

Potentially, millions of PC users could lose their data to this virus.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 AM

Posted 01 December 2010 - 10:04 AM

Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.

If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.

Securelist Blog

The program spreads via malicious websites and P2P networks

Securelist Threat Level

Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware. Sophos detects the PDF as Troj/PDFJS-ML.

Sophos news report

Sophos: Troj/Ransom-U
Trojan-Ransom.Win32.Gpcode.ax

I have been looking around this morning but have not seen any updates.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 DrPCfix

DrPCfix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great Neck, NY
  • Local time:04:12 AM

Posted 02 December 2010 - 10:30 AM

So, I opened a chat session with Norton - the claimed gods of internet security -- read the chat and then tell me how confident you all are about using their product?

Symantec LiveAssist Chat

Connected Status Analyst Anjith is here to assist you.

Issue: Ransom.Win32.GpCode.ax

Aneesh(Thu Dec 02 2010 06:53:32 GMT-0500 (Eastern Standard Time))>

Are you connected from the computer which has this particular issue?


drpcfix(Thu Dec 02 2010 09:53:50 GMT-0500 (Eastern Standard Time))>

no, computer has been trashed by virus, all files have been encrypted


Aneesh(Thu Dec 02 2010 06:58:22 GMT-0500 (Eastern Standard Time))>

Are you able to connect to any websites from the infected computer like Google or MSN?


drpcfix(Thu Dec 02 2010 09:59:19 GMT-0500 (Eastern Standard Time))>

no, computer does not boot. i took out hard drive and all files have been renamed with an extension of .ENCODED. On the desktop is a ransom letter


drpcfix(Thu Dec 02 2010 10:03:26 GMT-0500 (Eastern Standard Time))>

has norton added a definition for this virus?


Aneesh(Thu Dec 02 2010 07:04:14 GMT-0500 (Eastern Standard Time))>

As I understand from your issue description, your computer is infected with Ransom.Win32.GpCode.ax.Is that correct ?


drpcfix(Thu Dec 02 2010 10:04:24 GMT-0500 (Eastern Standard Time))>

yes


Aneesh(Thu Dec 02 2010 07:06:13 GMT-0500 (Eastern Standard Time))>

Henry, since you are not able to boot your computer I would suggest you to contact a local technician for further assistance.


drpcfix(Thu Dec 02 2010 10:07:58 GMT-0500 (Eastern Standard Time))>

i took the computer to a local tech who said that the pc needed to have windows reloaded and that all my files are lost. however before i do this i need to know that norton will protect me so that this will not happen again, so does norton protect?


Aneesh(Thu Dec 02 2010 07:10:21 GMT-0500 (Eastern Standard Time))>

Yes Henry.


Aneesh(Thu Dec 02 2010 07:10:22 GMT-0500 (Eastern Standard Time))>

Is there anything else I can help you with?


drpcfix(Thu Dec 02 2010 10:11:43 GMT-0500 (Eastern Standard Time))>

can you give me a link to somewhere on the norton website that backs up your claim that this virus has been added? i've searched the site and can not find it


Aneesh(Thu Dec 02 2010 07:12:09 GMT-0500 (Eastern Standard Time))>

You are currently experiencing a product related issue.This is supported by the Technical Support Team.


I can connect this chat session to the Technical Support Team directly. May I do so?
You can also connect to them by visiting http://www.symantec.com/supportoptions


drpcfix(Thu Dec 02 2010 10:12:23 GMT-0500 (Eastern Standard Time))>

y


Aneesh(Thu Dec 02 2010 07:12:43 GMT-0500 (Eastern Standard Time))>

I will now transfer this session to the Technical Support Team, who will assist you further with this issue.

Please note that, you can also connect to them directly by visiting http://www.symantec.com/supportoptions


It has been pleasure working with you, thank you for using Norton; have a great day.

Please wait while I connect you to the Technical Support Team. This normally takes between 2 to 5 minutes.


Aneesh(Thu Dec 02 2010 07:12:47 GMT-0500 (Eastern Standard Time))>

Please wait, while the issue is escalated to another analyst.


Anjith has entered room.


Anjith(Thu Dec 02 2010 07:12:54 GMT-0500 (Eastern Standard Time))>

Welcome to Norton Support, my name is Anjith Raju. Can I please have a minute to go through the information you have provided?


Aneesh has left room.


Anjith(Thu Dec 02 2010 07:14:13 GMT-0500 (Eastern Standard Time))>

Hi drpcfix, may I know what is the exact issue?


drpcfix(Thu Dec 02 2010 10:15:51 GMT-0500 (Eastern Standard Time))>

pc got a virus, from my searching the internet its called Ransom.Win32.GpCode.ax. it appears that all files on my drive are encrypted beyond repair. i will reinstall xp, but before i do so, i want to know that norton has added this virus to their db so that i dont get it again


drpcfix(Thu Dec 02 2010 10:16:30 GMT-0500 (Eastern Standard Time))>

its a new variant that came out somewhere around 11/25/2010, there were similar but less evil versions since 2004


Anjith(Thu Dec 02 2010 07:16:44 GMT-0500 (Eastern Standard Time))>

drpcfix, I have note down the Virus name.


Anjith(Thu Dec 02 2010 07:17:05 GMT-0500 (Eastern Standard Time))>

That Virus definition will be added Norton server,


Anjith(Thu Dec 02 2010 07:17:18 GMT-0500 (Eastern Standard Time))>

So that this Virus will not affect any PC any more,


drpcfix(Thu Dec 02 2010 10:17:29 GMT-0500 (Eastern Standard Time))>

when will it be added?


Anjith(Thu Dec 02 2010 07:18:30 GMT-0500 (Eastern Standard Time))>

Beofre updating our technicians need to investigate about this VIrus.


Anjith(Thu Dec 02 2010 07:18:44 GMT-0500 (Eastern Standard Time))>

So it will take 2 weeks to update.


drpcfix(Thu Dec 02 2010 10:19:22 GMT-0500 (Eastern Standard Time))>

how will the public be notified to this happening?


Anjith(Thu Dec 02 2010 07:20:07 GMT-0500 (Eastern Standard Time))>

That will update through Live Update

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 AM

Posted 02 December 2010 - 10:53 AM

The Norton Tech says it will be added but then they advise before updating their technicians need to investigate further, then he says it will take two weeks. Sounds like he's not sure so he is giving you a two week span, probably hoping the issue will be resolved by then.

I doubt you were speaking to a researcher as the answers appear to be more generic than specific. I suspect Norton is in the same boat as every other security vendor...still investigating and still trying to determine how to handle the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DrPCfix

DrPCfix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great Neck, NY
  • Local time:04:12 AM

Posted 02 December 2010 - 05:34 PM

Well I don't know about the rest of you, but this virus scares the pants off of me. We all know that most users have pitiful backups and if this virus becomes prevalent they will quickly tire of the need to keep reinstalling windows each time they get infected.

Interestingly enough, none of the AV vendors seem to be saying anything about this virus. I'm guessing that they only like to toot their horns after they have figured it out.

After all, no sense advising users to be extra diligent with backups if you can't help them anyways.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 AM

Posted 02 December 2010 - 05:46 PM

Interestingly enough, none of the AV vendors seem to be saying anything about this virus.

Appears that way as I have been looking around...not much since the initial warning reports.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 pengu

pengu

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississauga, Ontario
  • Local time:05:12 AM

Posted 06 December 2010 - 02:40 PM

Has their been any update to this spyware as yet? I also have this infection on one my clients computers.

#10 z4 guy

z4 guy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 19 December 2010 - 08:31 PM

At the end of November in a Starbucks one day I was online when a Java applet quickly kicked on and off, a PDF notice appeared and I got a BSOD. Would not boot after just a flashing cursor. Had Win 7 at the time. Had to reinstall OS and put on Vista with latest SP and copied back some files I had rescued from a DOS prompt file save after the initial crash.

Today same Starbucks. Online I know where, academic site in one tab and my online vita in another. I had reinstalled Java yesterday. All of a sudden I got a Java dialogue box open then close then a PDF with a .ru extension asked to download since they must prompt for me. I said no then saw my desktop had the ransom pic text. My icons were changed and files given the .ENCODED extension. I deleted the file it asked me to read without reading it. McAfee popped up a window saying it cleaned four files but on a scan it found 11. Ad Aware hanged and would not run. Task manager showed the rogue executable which I stopped and deleted. Hope that helps.

The sooner you stop and delete the executable from Task Manager it seems the sooner it stops encoding. Does just encode beginning of file but PDFs are rendered useless with Adobe.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users