Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Ransomware - New Variation (Canadian)


  • Please log in to reply
4 replies to this topic

#1 alextm23

alextm23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 18 November 2014 - 07:30 PM

Hi, A customer of mine recently got infected with a ransomware virus. I personally didn't get a chance to capture the pop-up image/info when the computer boots (a colleague of mine removed it too quickly) but I'll try to provide some details... It has many references to 'committing software piracy' and 'illegal downloads of software'. The ransom is for the bitcoin equivalent of 250 CAD (Canadian Dollars) and can be submitted through a link provided, the Royal Bank of Canada or to 'your local courthouse'. It also states that all the files have been locked/encrypted on the PC. They also say if we pay the ransom the files will be unlocked in 2-5 days or something. It's very Canadian centric (probably from detecting our IP) I have seen CryptoLocker and even the newest Cryptowall 2.0 and luckily have had clients willing enough to pay out the ransom but I can't find a single piece of info on this virus. Basically the virus has encrypted all picture files, pdfs, documents (much like Cryptolocker does) and they all now have a .exe extension added to them (ex: something.pdf.exe). If I simply try and remove the appended extension the file will not open. The virus is also creating a mapped drive of every share it can find on the network and using every single drive letter on the PC. Any malware scanner I use (such as ESET or malwarebytes) will detect every single file that was encrypted/renamed and quarantine them. I'm not sure if there is any decryption method for this virus or if it has even been seen in the wild yet. I've also tried the Panda decryption utility. One semi saving grace is the fact the virus doesn't seem to touch system restore/shadow copies but unfortunately the server data was one a second partition and there are no rotating/cloud backups (don't ask, complicated) I'm very knowledgeable with virus removal and the whole CryptoLocker era but this one has me completely stumped. I'll try my best to get a screenshot of the ransom screen but for now this is all I have. Time is of the essence of course and any help is appreciated. TL;DR - Ransomware virus. Possibly unknown variant. Encrypted data. Need HELP! :)

BC AdBot (Login to Remove)

 


#2 alextm23

alextm23
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 18 November 2014 - 09:00 PM

Here is an ESET Online Scanner Log
 
 
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=b87819ced11e2c46a645598004fb3140
# engine=21137
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-11-18 02:03:30
# local_time=2014-11-17 09:03:30 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 0 39148604 0 0
# scanned=128661
# found=48
# cleaned=43
# scan_time=1826
sh=513319B2C1E7C48460BFFB506A89201A131DDFF9 ft=1 fh=502ce6fec97a697e vn="a variant of Win32/Agent.NCA virus" ac=I fn="C:\Users\All Users\Adobe\ARM\Reader_11.0.07\31822\AdobeARM.exe"
sh=50723F45C4284DD68D29DAA94EA756029DD7E3B8 ft=1 fh=47a9a3aa08d37830 vn="a variant of Win32/Kryptik.AQA trojan" ac=I fn="C:\Users\All Users\PYwYUocQ\HgIgUYEw.exe"
sh=24CDFA1FA7860FEE93A8EE877EE81B15DFC84F0D ft=1 fh=9b8826d0a843a0a7 vn="a variant of Win32/Kryptik.AQA trojan" ac=I fn="C:\Windows\SysWOW64\mQom.exe"
sh=59FE43213ABB717A42F4F3F1DF20C1B151BD490F ft=1 fh=6c8912044c91ccb6 vn="a variant of Win32/Kryptik.AQA trojan" ac=I fn="C:\Windows\SysWOW64\zsgy.exe"
sh=1B2A1B3B319AEB5B40682F1898F8941F523D7FBC ft=1 fh=fd635467ffd26b65 vn="a variant of Win32/Kryptik.AQA trojan" ac=I fn="C:\Windows\SysWOW64\config\systemprofile\DKQgUQso\fUMwUMMI.exe"
sh=5C443D75CA9587573164E11CC1198A1845D93B77 ft=1 fh=fdbb64bb5ce45755 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\lifelabs\make_pw.exe"
sh=93A3CDA57547B51CF86689E874427438C8B013FE ft=1 fh=53fa80527ebb02b5 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\lifelabs\unins000.exe"
sh=513319B2C1E7C48460BFFB506A89201A131DDFF9 ft=1 fh=502ce6fec97a697e vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\ProgramData\Adobe\ARM\Reader_11.0.07\31822\AdobeARM.exe"
sh=4026746E94B3415826E308E330B85817D33BC5A4 ft=1 fh=18f35d9e879712e1 vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\ProgramData\bOwMYwsI\RIEEwYIc.exe"
sh=50723F45C4284DD68D29DAA94EA756029DD7E3B8 ft=1 fh=47a9a3aa08d37830 vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\ProgramData\PYwYUocQ\HgIgUYEw.exe"
sh=2AA6829BE10259CADECF0F15F6080F31F7DAD852 ft=1 fh=af3e83afdf75e4a8 vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\ProgramData\bOwMYwsI\RIEEwYIc.exe.vir"
sh=46689905985817229F80408F25C39CFFA3FA3BFF ft=1 fh=1aa9307e084f7d26 vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Users\admin\DKQgUQso\fUMwUMMI.exe.vir"
sh=8088ADC20D5C866D5C6FD186A75C9EBC1B1029C6 ft=1 fh=90fe143dcbdaa26e vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\admin\DKQgUQso\fUMwUMMI.exe"
sh=BAECE61E4383D042F6533D88FBACFBBF1DF23266 ft=1 fh=e33ab4d9c630169e vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\Users\admin\Documents\Scanned Documents\Welcome Scan.jpg.exe"
sh=C170F364C0A511FA5375F761DDD8E3E5D1E7797B ft=1 fh=09b1c82eac35445c vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\All Users\bOwMYwsI\RIEEwYIc.exe"
sh=926BDBE559A85BD231981913FD4501A3DE25A413 ft=1 fh=a23efe35b1b5d593 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\Users\Doctor Leung\AppData\Local\Apps\2.0\Y2LVN56P.6C4\QWY09VYP.N93\clic...exe_4fe91ede9f9bdca3_0001.0003_none_b13295ce3920a12c\GoogleUpdateSetup.exe"
sh=926BDBE559A85BD231981913FD4501A3DE25A413 ft=1 fh=a23efe35b1b5d593 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\Users\Doctor Leung\AppData\Local\Apps\2.0\Y2LVN56P.6C4\QWY09VYP.N93\goog...app_4fe91ede9f9bdca3_0001.0003_2009af1437c1fec6\GoogleUpdateSetup.exe"
sh=617582A5774B3A38D5F81BAC83E390729A41BD2D ft=1 fh=84196d99fda9987b vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Doctor Leung\DKQgUQso\fUMwUMMI.exe"
sh=949631AF550CDA1CA60EE335D5AA823E8B9BB863 ft=1 fh=088ac532374dd5a9 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\Users\Doctor Leung\Documents\Scanned Documents\Deleted\Welcome Scan.jpg.exe"
sh=1B2B2A615123C6DB0296834D805270F80D69FA41 ft=1 fh=088ac5324099efdf vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\Users\qhradmin\Documents\Scanned Documents\Welcome Scan.jpg.exe"
sh=AE077D0B5ECBC0B01ED606913E0882F5D2A724AC ft=1 fh=bffa923cbeec0d2b vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\sleepingaccuroadmin\DKQgUQso\fUMwUMMI.exe"
sh=13FF8EF419FAF4CECA8FE51B6216F2C18038839A ft=1 fh=088ac53227b73ae1 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="C:\Users\sleepingaccuroadmin\Documents\Scanned Documents\Welcome Scan.jpg.exe"
sh=D12365109BBA46C1F8D1AE3C075631CDDEF001F6 ft=1 fh=5a7d2fcb9e5d02cb vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Users\SQLSERVER\DKQgUQso\fUMwUMMI.exe"
sh=24CDFA1FA7860FEE93A8EE877EE81B15DFC84F0D ft=1 fh=9b8826d0a843a0a7 vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Windows\System32\mQom.exe"
sh=59FE43213ABB717A42F4F3F1DF20C1B151BD490F ft=1 fh=6c8912044c91ccb6 vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Windows\System32\zsgy.exe"
sh=1B2A1B3B319AEB5B40682F1898F8941F523D7FBC ft=1 fh=fd635467ffd26b65 vn="a variant of Win32/Kryptik.AQA trojan (cleaned by deleting - quarantined)" ac=C fn="C:\Windows\System32\config\systemprofile\DKQgUQso\fUMwUMMI.exe"
sh=FF60F1D269929895441210002466E5284B9968FC ft=1 fh=0989e3a370525b4c vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\mflpro\Data\Disk1\setup.exe"
sh=6F434794266B5C76F1ECDDBA4A095D119D060B2C ft=1 fh=425f2a49258e32e5 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_08_15_15_35_50-1.pdf.exe"
sh=2810EAA545D0178843A1B23AA7A98EEB8D462240 ft=1 fh=425f2a496bb36d91 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_08_15_15_45_44_001-1.pdf.exe"
sh=E585825155A11A5F8273F933249AD82B88F32FA6 ft=1 fh=425f2a498bda5759 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_08_15_16_34_07.pdf.exe"
sh=63B1D2D6D06AA402B199BF9475346111E1BB963E ft=1 fh=425f2a49b686f7ba vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_08_18_12_10_27-4.pdf.exe"
sh=9BA59581D2F7BF49EBBF231AB1F20375D18149AA ft=1 fh=425f2a499ac2b939 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_09_11_16_34_43.pdf.exe"
sh=055E89437D6008F436FE155E04213DB46716A640 ft=1 fh=425f2a492ca9adb0 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_09_30_17_31_03.pdf.exe"
sh=E2F93C2633C462E2BAF7EC8579E3C2261F4F5392 ft=1 fh=425f2a49be1e4387 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_03_09_48_11.pdf.exe"
sh=D7FAE29CAD7180CA4E5CF486098D7AC3983845B3 ft=1 fh=425f2a4930a5cbd7 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_09_10_35_35.pdf.exe"
sh=3DC3CACA5D461F138200F60965A24445B5A99B6F ft=1 fh=425f2a49d6793ea1 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_10_10_40_42.pdf.exe"
sh=6417D7BA950BC5542A7166213A014FE05E8358EA ft=1 fh=425f2a49959adc7b vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_10_10_44_54.pdf.exe"
sh=99BF310CBD35E5F83FA5689B8EF845F0C9151E05 ft=1 fh=425f2a49e9c9475d vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_14_17_50_18.pdf.exe"
sh=09EC2C008DD6ACFBAF97EE21418711DD66B989C8 ft=1 fh=425f2a49d157cfa4 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_14_17_59_12.pdf.exe"
sh=91D0415AE1D49945AAEE53A1A5005563704DED1D ft=1 fh=425f2a49dfea6200 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_16_17_17_17.pdf.exe"
sh=665B04A3FCA736273B9AC314C3CCD59F328505D5 ft=1 fh=425f2a497de9f41e vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_17_10_44_00-1.pdf.exe"
sh=018449F5BA93324497B4814F432FB70AA6527F8D ft=1 fh=425f2a499a18bb04 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_22_18_24_27.pdf.exe"
sh=DD7394DF3885C14F55BE3B739807147EDDDC4B96 ft=1 fh=425f2a49f6abfdfa vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_30_11_39_27_002.pdf.exe"
sh=3807C9C31114545C54CAB6E39E7018E65798EF7E ft=1 fh=425f2a49ef3c9697 vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_10_30_12_46_53-1.pdf.exe"
sh=6F547518AA884E9754C70E2E52A1243F7F2D13CC ft=1 fh=425f2a493e20594a vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Deleted\2014_11_07_13_04_01.pdf.exe"
sh=EFD1B783823764E336859063432453CA4C4598C1 ft=1 fh=425f2a49a7a3e2de vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Dr. Leung documents\2014_10_03_10_00_02.pdf.exe"
sh=73CE63ABE38FD28E9F6108A1395391A4D798CF6E ft=1 fh=425f2a498f1723cc vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\ReadyForAccuro\Scan\Dr. Leung documents\2014_10_03_15_27_47.pdf.exe"
sh=D603A3026650E302599DAA177727CE065B9AFCE1 ft=1 fh=fb522672da827d2d vn="a variant of Win32/Agent.NCA virus (deleted - quarantined)" ac=C fn="S:\SQL SERVER\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLIOSIM.EXE.exe"
ESETSmartInstaller@High as downloader log:
all ok


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 23 November 2014 - 07:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/556721 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:10 PM

Posted 26 November 2014 - 11:10 PM

Please submit a sample of one of your encrypted files (exe extension) to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#5 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:10 PM

Posted 07 December 2014 - 08:31 PM

Hello,
 
I have made a Decryption Patcher for this infection. If you were hit by Operation Global 3 (This infection, Title is on the bottom of ransom screen), then this patcher will help you get all your files back.
 
Here is a video with the step by step instructions:
 
Here is the Patcher(Also on Video page):
 
Hope this helps!

Have you performed a routine backup today?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users