Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Canadian Ransomware


  • Please log in to reply
8 replies to this topic

#1 poxyfurfur

poxyfurfur

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 26 November 2014 - 12:19 PM

I've been infected by the same virus as the OP in this thread:http://www.bleepingcomputer.com/forums/t/556721/fbi-ransomware-new-variation-canadian/

I'm unable to reply in that thread so am starting a new one:

 

I just got hit by this exact virus.  Lost all my family photos for the past 10 years and all my music and other documents.  There doesn't seem to be much info about this variant on the web.
 
After getting the ransom page, I was able to remove the virus from my system and din't realize that all my documents were encrypted and renamed with an exe extension until 2 days later because it reconfigures windows explorer to hide the file extension.  So what I did then is I installed a virtual machine to try to run one of the exes.  The interesting thing is that it seems that if you run one of the exes on an uninfected machine, it decrypts the file and restores the original while at the same time reinstalls the virus again.
 
I tried writing a shell script to iterate over the exes, open them and immediately kill the 3 resulting virus processes but eventually the virus installs itself on the system after which point the exes don't get decrypted when opened.   Since initially, the VM was free from the virus, it seems that whatever key information is required to decrypt the exe, it is embedded in the exe itself.  So hopefully, it should be possible to decrypt the files without having to pay the ransom to get the key but so far I haven't found a way to do it without executing the exe and am not sure how to proceed further.


BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:07 PM

Posted 26 November 2014 - 11:10 PM

Please submit a sample of one of your encrypted files (exe extension) to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#3 poxyfurfur

poxyfurfur
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 26 November 2014 - 11:21 PM

Submited.



#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,392 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:07 PM

Posted 26 November 2014 - 11:49 PM

The one you submitted does not have an .exe extension.

#5 poxyfurfur

poxyfurfur
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 26 November 2014 - 11:52 PM

Sorry, my mistake. Resubmitted.



#6 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 07 December 2014 - 08:31 PM

Hello,
 
I have made a Decryption Patcher for this infection. If you were hit by Operation Global 3 (This infection, Title is on the bottom of ransom screen), then this patcher will help you get all your files back.
 
Here is a video with the step by step instructions:
http://youtu.be/1M5IEW5_Ydw
 
Here is the Patcher(Also on Video page):
http://www.bleepstatic.com/fhost/uploads/3/og3patcher.exe
 
Hope this helps!


Have you performed a routine backup today?

#7 poxyfurfur

poxyfurfur
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 08 December 2014 - 05:03 PM

Thank you for the patch.  I actually came up with a similar way to decrypt the files.  However, the problem for me was that I have thousands of files that got encrypted so clicking on each one is not feasible.  I wrote a small script to iterate over all the files and open them one by one but since doing that launches the associated application, my script also needed to close/kill that application to prevent the computer from overloading.  As a result, the whole process is a bit cumbersome.  I managed to decrypt a lot of my files but there are sill many to do.

 

I was wondering if your patch works by utilizing the infection itself to do the decryption (as does my approach) or if it actually retrieves the key and decrypts the files on its own.  If the latter, perhaps it can be made to do this without needing to open the files?  That way, I can just let it run on all the affected files without needing to click on each one.



#8 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:07 AM

Posted 08 December 2014 - 07:03 PM

Well the good news is, after u run this patcher, the infection can never run right on the machine again. So you can actually simply use ur script now without having to worry about the infection opening again.

 

Perhaps if more people get the infection ill add a mass decrypt.

 

EDIT: My patcher actually changes a few bytes in the running infection, changing the way the exe's open.


Edited by Nathan, 08 December 2014 - 07:04 PM.

Have you performed a routine backup today?

#9 poxyfurfur

poxyfurfur
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 09 December 2014 - 12:41 AM

My process also made it so that the machine wasn't getting reinfected when opening the encrypted files.  My issue is doing it on a mass scale without having to worry about automatically closing all the applications (such as the image viewer, music player, etc) that launch when each file opens.  Anyway, thanks for your efforts.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users