Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got ransomware from deviantart


  • Please log in to reply
13 replies to this topic

#1 doomeduniverse

doomeduniverse

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 September 2014 - 08:50 PM

I knew deviantart was malicious, always showing video ads and randomly putting up pop-up ads that direct to weird places which if I don't close FAST, will quickly say "are you sure you want to navigate away from this page?" instead of just letting me close it. But there's absolutely nowhere else I could have gotten this garbage.
 
So I killed some task that was using up 50% of my cpu and deleted some file in the temp directory, but I thought that was the end of it, but all the text files in not just my main hard drive, but my external hard drive too (this horrible computer actively attacked something outside of it, how dare it be so intrusive!) now have .xzmpjmd after the .txt and they all are encrypted. It had enough time to do that with a few .jpg files in my documents and my pictures but it didn't do all of the jpg files nor did it get into the other pictures or those on my external hard drive. But all the text files. In addition, there is a file called "DecryptAllFiles     2374878396.txt" in my documents which says this (until ------------, after that it's me talking again, not quoting the text file):
 
Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

1. Type the address http://torproject.org in your Internet browser.
   It opens the Tor site.

2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle',
   install and run it.\

3. Now you have Tor Browser. In the Tor Browser open the http://23bteufi2kcqza2l.onion
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

4. Copy and paste the following public key in the input form on server. Avoid missprints.
75ULUW-H6H4AZ-M5GNGY-WZGHQE-TSP3IM-YQ4SXR-W33VZ5-4RZFQT
COWYIX-WVQCSE-YJN624-HIXAWU-XNLHOJ-76VAYI-2A4TT7-PYP2IC
OITEQ7-L3OYCA-C3FT5G-YFRAEF-5H35E2-HWHY6F-OLC7KR-5XGZXB
5. Follow the instructions on the server.
 
------------------------------
 
So I assume it's probably a RSA key I guess. If the code is 0-9 and A-Z (the only thing missing is the capital latter D but it's probably base 36, not 35) and there are 24 sequences of 6 so that's 144*log2(36) or probably 768 bits of encryption. Ugh.
 
I went to the cryptolocker page and tried some of my files and it said it was not done with that. I have gotten very few results looking for others with this thing.I only got one page with 23bteufi2kcqza2l.onion mentioned and so I was wondering if there was something I could do. Other than paying the bastards, that is. Because I'm not going to do that. For one thing I have heard that all they do is ask for more money. Damn, why did I have to leave my stupid external hard drive plugged in all the time. My computer the traitor, it could have just ruined its own contents.
 
I do have some examples of "before" and "after", I could upload, if anyone cares. Text files that came with torrents I downloaded that I could download again, or text files I saved on my computer, and then e-mailed to someone, so they're still in the outbox in gmail. None of it is of monetary value, it's just some things owned by a broken man who's been beaten down by the world, and now you all have got to kick me while I'm down and take the last little trinkets from me, like the stories I have written that no one else cares about or the rants I have typed up and saved. Are you happy, world?

Edited by Queen-Evie, 22 September 2014 - 09:18 PM.
moved from Windows 7


BC AdBot (Login to Remove)

 


#2 doomeduniverse

doomeduniverse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 September 2014 - 08:59 PM

Oh yeah. Also, I deleted the files from the temp directory before I knew it had done anything lasting, so I can't post them. But there's a file still in my recycle bin, it's called rmbrrsd.html. It's 500 kilobytes. It's from the same time as the attack on my files and as when the "DecryptAllFiles"'s date, which was Saturday 9-20-2014, so it's safe to assume it's related. Should I delete it? Or is it useful somehow?



#3 doomeduniverse

doomeduniverse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 22 September 2014 - 09:16 PM

Update. zip files and adobe acrobat pdf files too. So it zapped all the text files and at least some of the zip files, the adobe acrobat files and jpg images.



#4 Laith225

Laith225

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stockholm, Sweden
  • Local time:01:21 PM

Posted 23 September 2014 - 03:01 PM

The best thing to do is to pay these bastards.

Cryptolocker isn't just some ransomware... It lockes your file...

You could try that different option but it is risky, You may end up being DOS-attacked.

But however i would recommend paying Cryptolocker. If it was a different ransomware it could be solved easily.

But now we are talking about Cryptolocker. 

 

"That is always why you should have antivirus installed."

 

 

Cheers,

Laith225



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:21 PM

Posted 24 September 2014 - 10:24 AM

The best thing to do is to pay these bastards.
Cryptolocker isn't just some ransomware... It lockes your file...
You could try that different option but it is risky, You may end up being DOS-attacked.
But however i would recommend paying Cryptolocker. If it was a different ransomware it could be solved easily.
But now we are talking about Cryptolocker. 
 
"That is always why you should have antivirus installed."
 
 
Cheers,
Laith225

Cryptolocker is not infecting people anymore, the ransomware was taken down. Do not pay anyone yet until we figure which infection this is.
 
Please download this file from here, extract the zip and then run IDTool.exe. Wait for the tool to load and then click the Generate Text Friendly Report for Forums button. Copy the content of the box that appears into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 rp88

rp88

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:21 AM

Posted 24 September 2014 - 10:42 AM

I've had trouble with deviantart too, they were most certainly hosting some malicious ads. Of the sort that try and tell one that a plugin requires updating, despite the fact that one doesn't have the plugin. And i have known ads on that site to put in those criminal "please don't go, stay on this page" prompts. Never pay a ransom(it only fuels more crime), and do what you can to track down the thugs that did this.


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 doomeduniverse

doomeduniverse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 24 September 2014 - 06:47 PM

Suddenly I have replies! Wow! I thought no one cared in the least because it went a while. It always seems when I have a problem, I'm always the only one who ever has it. Ok, well, that program output looks totally useless, but this is what it produced. Note that I already deleted the .bmp image it produced with the same info because it looked redundant, and I already deleted the viral program by hand (killed the task using task manager, thanks a lot antivirus programs!) and I still have a html file in my recycle bin which is 500 kB in size called rmbrrsd.html, which was clearly generated by the virus. I would have kept the virus in an inert form if I had known it had actually accomplished something, since it likely contained in its code the key it used, but I didn't discover what it did to all my txt files were now corrupted until after I deleted it. I do have quite a few samples of "before" and "after", that is, text files I got back from things in my sentbox in gmail, and also I had downloaded the Tom Waits album "Bad Like Me" via bittorrent (yeah, I know, I'm a scumbag for doing that) and it had a cover art image, I went back and used the torrent and got the same image again. Does anyone know if having a "before" and "after" lets the key be cracked? I'm trying to remember back to like 2000 when I learned about RSA public key cryptography, and I can't remember enough of how it worked to say this, but am inclined to think that it's no good, it would only be a convenient way to verify a successful decryption. Anyway, enough praddling on, the output of the program is this:

 

Infection Detection Tool v1.0 - Nathan Scott
--------------------------------------------
Date/Time: 9/24/2014 4:35:04 PM
Operating System: Windows 7
Service Pack: Service Pack 1
Version Number: 6.1
Product Type: Workstation
--------------------------------------------
[Detected Flags]
1.|  Possible Critroni Flag , C:\Users\All Swartz\Documents\DecryptAllFiles     2374878396.txt
 



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:21 PM

Posted 25 September 2014 - 11:38 AM

Hi doomeduniverse,
 

Ok, well, that program output looks totally useless, but this is what it produced.

Not useless, let me know what ransomware it is.
 
Here is some information on Critroni, which is what ransomware encrypted your files. There is no way to decrypt the files sadly, I'm sorry to say.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 doomeduniverse

doomeduniverse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 25 September 2014 - 01:22 PM

Wow, elliptic curve crytosystem. I wasn't expecting that. That's much worse than RSA. xXToffeeXx sure there's a way to do it, wait for quantum computers to be available. Though I'll be long dead by then. Nevertheless, that info page DID tell me that it copies the files and deletes the originals. Which MEANS that a file recovery program might just be able to undelete some or most of it.. Damnit, why did I have to redownload that stupid tom waits torrent on the external hard drive. It didn't occur to me that it might have done that, I figured it just resaved the files, overwriting them. At least there's 40 gigabytes free and that was like 200 megs, so likely most of it is still there, which means the few files I actually care about are still probably there since I've filled in about 0.5% of the free space since. But then again, when have I ever won a bet that was 99.5% in my favor? The answer is, at most 10% of the time.



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:21 PM

Posted 25 September 2014 - 02:09 PM

Hi doomeduniverse,

 

Indeed, it's an interesting idea and not realistically crackable unless a flaw was found. It's possible that they were not fully deleted, although I would not put all your hope in the idea. It's certainly worth a try though :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 doomeduniverse

doomeduniverse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 25 September 2014 - 02:41 PM

It wasn't my idea, the page you gave me the link to on that particular virus specifically said that could be done, it said that they deleted the files and made copies that were encrypted and that file recovery software could be used if not too much time had passed, but no, I just did a scan of deleted files on my computer and external hard drive, there are no deleted text files, there are files I deleted months ago that can be recovered, but not one of the files it replaced with encrypted versions, so it is NOT as that thing says. I'm sure SOMETHING would have escaped being overwritten by the tiny, tiny amount of activity I have performed to the external hard drive since then, there were text files in many many different directories that were attacked, so it's safe to say the info on that page is wrong. I did find one anomaly. It turned one 20 megabyte text file into a 10 megabyte text file. Perhaps it was in progress with that one when I killed it? Nah, it completed everything else in that directory, and it was not first or last in the directory either alphabetically or by date, and besides, it looks like I killed the process 2 days later. At any rate, the modus operandi perhaps is that it deletes the original but not before saving a new one, which occupies the same memory addresses.



#12 doomeduniverse

doomeduniverse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 25 September 2014 - 03:26 PM

By the way, I used iolo system mechanic to try to recover the deleted files. If you happen to know it is not good at finding deleted files, let me know, and I'll try something else, though installing new programs may defeat the purpose. I have disabled system restore points so that it doesn't wreak havoc with the free space on the main hard drive but then again none of the text files on that drive I think were particularly interesting. It was all in the external hard drive anyway. Like the story I had written, and also a long letter I had composed, and some programs I had written. Fortunately, it only went after text files that actually had the txt extension, not cpp, so most of the programs were unaffected, though lots of plans I had in the making were saved as txt files.

 

Nevertheless, I want you to know, whoever you are out there, hacker who made this, if you're reading this to gloat on the havoc you have caused. I want you to know two things. 1. I'm not paying you a penny. and 2. You want to steal credit card numbers from customers at target or home depot or whatever's next? It would be far better if you caused problems for big corporations themselves, not their customers, but that's a lower tier of evil (and I was one of them at target, so I'm not even being a hypocrite by saying it's not as bad, it's not like I'm saying the one that happened to ME is the bad one just because it happened to me), it's not personal, and using a credit card isn't a necessity, it's a luxury, and that's a risk anyone who uses a credit card takes, while using a computer and using the internet is no longer a luxury, it's a necessity for the only way I have found to work and survive, and you are attacking me on a personal level when you attack my personal files. I just want you to know, if you are ever found, the authorities are the least of your worries. Someone like me you cheated isn't going to be content with you getting a legal slap on the wrist and what's left of your ill gotten gains that you haven't spent or hidden in an anonymous bitcoin account being confiscated, someone will come after you with a gun or a sword, and you will not get a trial by jury or due process or appeal process. I assume you're probably behind national boundaries so it won't be me. But I just want you to know that, so you can spend the rest of your life looking over shoulder to make sure if I'm not right behind you. That's it.



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:21 PM

Posted 26 September 2014 - 11:19 AM

Hi doomeduniverse,

 

It's possible that the ransomware overwrites the file and it's not deleted. The guide provides suggestions, and they will not always work. You could try Recuva portable since that is generally pretty good.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 intheband

intheband

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 28 September 2014 - 02:39 PM

i have the same problem with the extention file elxjbuc

is this yours too?

i was hit last week. any solutions?

the only lead i have is to go to https://vms.drweb.com/sendvirus/

and from Dr.Web decrypter program, te94decrypt

but there reqire a service serial number

 

below is a what is writen in few of my folders:

 

Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.

1. Type the address http//torproject.org in your Internet browser.
   It opens the Tor site.

2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle',
   install and run it.\

3. Now you have Tor Browser. In the Tor Browser open the http//23bteufi2kcqza2l.onion
   Note that this server is available via Tor Browser only.
   Retry in 1 hour if site is not reachable.

4. Copy and paste the following public key in the input form on server. Avoid missprints.
UVP2O5-2P4P7H-R7CY4U-6GS4VN-FSM67T-WSZYSA-U42XFY-YXTYUN
ZDR4F4-6YEF44-TGPZKG-H6S6AO-JWA3AJ-2JKFB2-FH5FF3-LWHSAX
POX2U4-IZITYV-Z7U6QO-A4UCRV-B3P4QK-SMW3PP-CPUNXR-JBF7B7
5. Follow the instructions on the server.


Edited by intheband, 28 September 2014 - 02:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users