Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Word document files encrypted? decode@india.com


  • Please log in to reply
51 replies to this topic

#1 domyrat

domyrat

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 13 November 2014 - 01:20 AM

We have valuable patient information lost due to some kind of unknown infection. All .doc files were changed from xy.doc to xy.doc.id-8173471466_decode@india.com.

I tried removing only extension addon, but that isn't the problem solver. I tried to HEX compare files that were backed up and those encrypted and i see many repeatable patterns through encrypted file.

If i provide non-encrypted and encrypted file, could you somehow give me solution to this?

There is no ransom screen or anything, and i haven't seen any processes running in the background that could do this.

 

I tried scanning the computer with NOD32 Antivirus, ERA Remover and Panda UnRansom locally.

I  tried submitting to virustotal with these results:

 

https://www.virustotal.com/en/file/9a503ff4fb85a4a29fdfbadd813144af774c47d21b2fe7eb7a47f185bfbc3ef1/analysis/

 

 

EDIT: also .jpg files were affected with this


Edited by domyrat, 13 November 2014 - 01:26 AM.


BC AdBot (Login to Remove)

 


m

#2 daneeboy

daneeboy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 13 November 2014 - 02:04 AM

Hi,

 

we have the exact same problem. It was probably downloaded from a scam email with an invoice from "deutsche telekom" like this:

Guten Tag, 

Ihre aktuelle Rechnung für Ihre Kundennummer 67129 vom 11.11.2014 steht im PDF-Format für Sie bereit. 
Rechnung_2014_11_741800000067129.zip. 

In Ihrem Account finden Sie alle Ihre Rechnungen in der Rechnungsübersicht. 

Der sofort fällige Gesamtbetrag von EUR 274,99 wird Ihrem Konto in Kürze belastet. 



Mit freundlichen Grüßen 

Ihre Telekom

After one user clicked on the link with the zip file (after being warned not to) files on our network share started encrypting the same way you encountered, but with a different id.

I found on a bulgarian thread that had this problem and he emailed decode@india.com, the reply was to send 1 bitcoin to a wallet and afterwards they will send you the decode method.

http://hardwarebg.com/forum/showthread.php/252988-%CD%E0%EB%E5%E3%ED%E0-%EC%E5-%EA%F0%E8%EF%F2%EE%E2%E8%F0%F3%F1-decode-india-com?p=3931155#post3931155

(i used google translate)

 

any help, other than the ransom, appreciated

 

thanks and good luck



#3 mvcro

mvcro

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 13 November 2014 - 06:27 AM

Hello guys,

 

Same happened to my server yestarday. Server was attacked and a lot of files are encrypted. As this guy above i also send mail to decode@india.com and they said they want 1 bitcoin for decoding program.

I have backup of server. But is there some kind of workaround for this? Can i do something to make files as it was before? 



#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 PM

Posted 13 November 2014 - 12:48 PM

If anyone has the spam email or the attachment that installs it, please submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3 and we will take a look.

Thanks!

#5 daneeboy

daneeboy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 13 November 2014 - 01:44 PM

Hi,

 

I have uploaded the email that we recieved. There's a link to a zip file in the .msg file.

 

thanks

 

d.



#6 starmanian

starmanian

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 14 November 2014 - 01:39 PM

Greetings everyone.

In my office today someone downloaded this malware and it infected all computers on the network. My whole archive is corupted atm. The exact pattern that is described in this thread.

 

My problem is that I don't have an backup for the archive and everything seems lost atm. I'm doing an spybot2 scan atm to try to remove the malware and will try to use pando decrypter and kaspersky tools for decryption. I will post my results in this thread when I finish the test.

 

Problem is someone on the network installed this malware and I'm not aware at which computer is it located. There is not many computers on the network so I will try to check them all with spybot.

 

Hope we can find an fix for this problem we have.

 

If there is some info you need to solve this I'll be glad to supply it. 

 

 

*** spybot2 just finished didn't find anything related to decode@india

 

*** runing kaspersky rectordecoder

                             found  - 20000 

                             decripted - 0

 

*** rakhani and rannoh decryptor requires a unencripted version of the encripted file to work i don't have those.

*** running xoristdecryptor --- didn't find anything

*** panda decrypt tool also requires a original and encripted file ....

 

This really had to happen when i have an important project due on monday.

If u help me fix this i'll give u a proper donation.


Edited by starmanian, 14 November 2014 - 01:54 PM.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 PM

Posted 14 November 2014 - 01:47 PM

We still have been unable to find a working installer for this. So if are infected with this malware and have a sample of the installer or a copy of the email that started all of this, please submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#8 ivan1601

ivan1601

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 14 November 2014 - 02:47 PM

One of my friends is infected and doesn't have backup of files :/

 

Another friend has recieved this mail about 30 minutes ago.

 

I would like to send you this mail. Can you give me e-mail address?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:23 PM

Posted 14 November 2014 - 02:54 PM

@ ivan1601

...if are infected with this malware and have a sample of the installer or a copy of the email..., please submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 ivan1601

ivan1601

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 14 November 2014 - 03:09 PM

@ quietman7

 

I saw this post.

But to submit instaler, friend must download it!? And he will be infected!? Please give me e-mail and he will forward this e-mail.



#11 jorti.78

jorti.78

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 16 November 2014 - 02:29 AM

Hi anybody has a solution? For desencryter files infected with decode@india?

#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:23 AM

Posted 16 November 2014 - 03:16 AM

You may not think we are trying to help, but I had one of the first Crypto infections 12 months ago, and since then only some have been able to fix.

Please read below and look at each area mentioned, as you may find some help, or understand that this is world wide ......

 

A repository of all current knowledge regarding CryptoWall & CryptoWall 2.0 is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall & CryptoWall 2.0 does and provide information for how to deal with it and possibly decrypt/recover your files. At this time there is no fix tool for CryptoWall.

CryptoWall 2.0 uses its own TOR gateways...see Updated CryptoWall 2.0 ransomware released that makes it harder to recover files.

There is also a lengthy ongoing discussion in this topic:: CryptoWall - new variant of CryptoDefense.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.


If you are infected with this malware and / or have a sample of the installer, or a copy of the email, that started all of this, please submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3

This is a secure area that we can use to test, or pass on samples, to our malware identification crew.

 

Testing and exchange between developers has been worked on for a year and will continue while samples are being tested and submitted -

 

 

Thanks
The BC Staff



#13 ivan1601

ivan1601

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 16 November 2014 - 08:12 AM

@ Noknojon

 

I have forwarded e-mail with installer to Grinler. I hope you will find out something.



#14 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:23 AM

Posted 16 November 2014 - 03:33 PM

Hello -

 

I am told that decode@india is a newer version, and we always need any sample to help us to find the answers.

 

Thank you for helping us to fight the criminals that do this to you ........

 

Best Regards and Good Luck to all of those infected -

 

EDIT -

The link below may suit some when they choose to forward samples (From our Decryptor - Nathan)

http://www.bleepingcomputer.com/submit-malware.php
 


Edited by noknojon, 16 November 2014 - 03:44 PM.


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,280 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:23 PM

Posted 17 November 2014 - 04:11 AM

just got a reply from the Kaspersky Team about the malware in question.

 

It get encryption key from C&C so the decryption is impossible..

 

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users