Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Crypto Locker type Virus


  • Please log in to reply
25 replies to this topic

#1 gstrass781

gstrass781

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 05 December 2014 - 11:53 AM

My Network got hit today with a new cryptolocker copy cat virus. 

 

MalwareBytes was the only one to detect the virus, I have sent the files to clam AV, VirusTotal, TrendMirco and Symantec. I figure I share with everyone here as well. 

 

This virus appears to run as ahrkzlanfawanf.exe and/or ahrkzla.exe and it takes any Filename.txt and filesname.doc and encrypts the content and changes the file extension to *.rtrsxox  

 

Nasty bugger that encrypted a ton of my network files before someone noticed on my network. 

 

The Virus additionally request that you download Tor, and pay money for the decryption keys.

 

Well I am pulling from backups and the infected user noticed it and alerted me to prevent any more infections however the damage is done.

 

Beware none of the major Anti Virus have put out definitions for this virus and its a pain to restore from backup.  

 

Good Luck everybody else. 

 

 

 

 

 

***************************************

Virus Doc Below. 

 

Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.
 
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
 
If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.
 
Open http://43qzvceo6ondd6wt.onion.cab or http://43qzvceo6ondd6wt.tor2web.org 
in your browser. They are public gates to the secret server. 
 
If you have problems with gates, use direct connection:
 
1. Download Tor Browser from http://torproject.org
 
2. In the Tor Browser open the http://43qzvceo6ondd6wt.onion/
   Note that this server is available via Tor Browser only. 
   Retry in 1 hour if site is not reachable.
 
Copy and paste the following public key in the input form on server. Avoid missprints.
 
Follow the instructions on the server.

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:10 PM

Posted 05 December 2014 - 02:32 PM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

 

Please submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit any of the malware files that you suspect were involved in causing the infection.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:10 PM

Posted 08 December 2014 - 02:15 PM

When I ran this sample it installed CTB Locker.

 

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information

 

Unfortunately nothing we can do to help other than what is in the above guide.



#4 gstrass781

gstrass781
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 08 December 2014 - 02:30 PM

Thanks for the Feed Back. I ended up dumping the infected computer and files, and restored from our backup tapes. 48 hours of backups but at least we had them! I know people who have lost every then ever had. Backup and backup often! 

 

George 



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:10 PM

Posted 08 December 2014 - 02:41 PM

...Backup and backup often!

That should have always been the best practice but it has become a key point we stress to everyone since the emergence of crypto malware (ransomware).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 mattone

mattone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 December 2014 - 03:26 PM

Hello Everyone,

Hoping you can help me out with the same issue.

I got the same virus only I still have the computer and files and if anyone is willing to research how to decrypt them I can email sample files to them.

I would be so grateful for any help I can get on this.

It seems to have mainly encrypted only .txt files and then adds the extension  ntfadgf to them so for example a file originally having this name "Sample.txt" is now "Sample.txt.ntfadgf"

Unfortunately I didn't have a backup of everything and what was lost was super important and I am even tempted to pay the virus creator the 1 BTC they ask for.

Let me know what else I can tell you regarding this to help and thanks so much in advance.

Matt 

 

PS: additional info:

I have many files that have the name "Decrypt All Files.ntfadgf.txt" inside them contains instructions from the virus creator how to decrypt them.  Here is a paste of the contents:

===========================================================================================================================================
Your documents, photos, databases and other important files have been encrypted
with strongest encryption and unique key, generated for this computer.
 
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
 
If you see the main locker window, follow the instructions on the locker.
Overwise, it's seems that you or your antivirus deleted the locker program.
Now you have the last chance to decrypt your files.
 
in your browser. They are public gates to the secret server. 
 
If you have problems with gates, use direct connection:
 
1. Download Tor Browser from http://torproject.org
 
2. In the Tor Browser open the http://43qzvceo6ondd6wt.onion/
   Note that this server is available via Tor Browser only. 
   Retry in 1 hour if site is not reachable.
 
Copy and paste the following public key in the input form on server. Avoid missprints.
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
 
Follow the instructions on the server.
===========================================================================================================================================
Note: I changed the key above to show all XXXXXX for security reasons.
Below I will paste the instructions shown on the server website:
===========================================================================================================================================
Payment required
 
Server accepts payment in Bitcoin (BTC) only.
 
If you have bitcoins:
 
1. Pay amount of 1 BTC to address: 1CaAYLQt8wHAiPKb4s7buETnbiXoMnqd3y
2. Transaction will take about 15-30 minutes to confirm.
 
 
If you do not have bitcoins:
 
1. Open one of the exchangers:
and select exchange in your country and currency.
Or open https://localbitcoins.com/ and find person who sells bitcoins near you.
 
Buy 1 BTC (about of 320 USD) and make direct deposit to bitcoin address: 1CaAYLQt8wHAiPKb4s7buETnbiXoMnqd3y
   Exact payment amount can vary depending of exchange rates.
4. Transaction completion may take several days.
 
 
Reload this page in 15 minutes. After transaction completes you wiil be redirected to decryption page.
Don't worry if some errors occurs and connection was broken. Wait 15 minutes and press F5.

Edited by mattone, 18 December 2014 - 03:35 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:10 PM

Posted 18 December 2014 - 04:53 PM

You can submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit any of the malware files that you suspect were involved in causing the infection. Doing that will be helpful with investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 mattone

mattone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 December 2014 - 05:47 PM

Hi thanks for the reply.

I honestly have no idea where the actual virus is or if its still on the computer because i ran a few antivirus programs who found many things and its all gone now.

I can upload the one file i had decrypted for free and maybe someone can figure out how it was encrypted so i can decrypt the others without having to pay the virus creators.

I would gladly pay i mean i am not cheap even though I am poor as hell lol But I would much rather pay you guys and honest help than the crooks who made it.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:10 PM

Posted 18 December 2014 - 05:49 PM

Check the quarantine logs for your anti-virus and any other security tools you may have used.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 mattone

mattone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 December 2014 - 08:40 PM

Problem is so much turns up in the logs I have no idea what is pertaining to that specific virus.  However this happened all at once one day so maybe that one virus turned up all this in the log.

There are things like this showing many times:

Spyware.Sazoora

Spyware.Zbot.ED

Backdoor.Bot

Trojan.Agent

PUP.Optional.Zoomify.A

Trojan.Agent.ED

 

its easily a list of over 100 items if there is something specific i should focus on let me know.

the log also shows their file locations

 

Thanks again



#11 mattone

mattone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 22 December 2014 - 01:49 AM

Hello again,

Sorry wasn't at the computer for a few days.

Anyway I got this snippet from MBAM logs hope it helps.

http://i.imgur.com/DG83F7h.png



#12 mattone

mattone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 26 December 2014 - 11:14 PM

Client might actually end up paying for 1 BTC to hopefully decrypt their files

ugh this is horrible



#13 ABJ

ABJ

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 29 December 2014 - 02:19 AM

That virus doc reminds me a LOT of CryptoWall. >:(



#14 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:04:40 AM

Posted 29 December 2014 - 05:29 AM

Ransomeware is getting more dangerous every day more powerful encryption, harder to detect and are also getting much vicious making even the most trained malware removal guys a really hard time to remove this not to even mention how to break the encryption which is pretty much impossible look how long it took for decryptolocker to come out...

Edited by awesomecooldude101, 29 December 2014 - 05:30 AM.

they call me te java mayster


#15 mattone

mattone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 29 December 2014 - 11:58 PM

You can say that again.  I am pretty experienced with computers myself.  And while I was able to stop the virus and remove it there is no way I can decrypt it or figured out the encryption key.

I can't believe I am actually looking at the current value of bitcoin to hopefully buy it as low as possible because there is no way around this.  While this didn't happen to me it happened to a few clients of mine and it already has me planning new ideas on how to make my backups even safer and I already do more backups than most as it is.

 

Sincerely another depressed victim of ransom-ware who is hoping this thing gets stopped and the creators get prosecuted and punished.

 

:( Would be nice if the FBI caught them and sent out the keys for any victims to decrypt their data back for free instead of just killing the servers with the keys.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users