Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BUYUNLOCKCODE Ransomware detected in the wild


  • Please log in to reply
17 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 01 January 2015 - 02:17 PM

To kick off the New Year, we have been receiving reports about a ransomware that is being distributed through Trojans that masquerade as legitimate program updates or utilities. This ransomware appears to have been circulating for the past few weeks. When infected, your data files will be encrypted and a BUYUNLOCKCODE.txt ransom note will be created in all directories where a file was encrypted. This buyunlockcode.txt file contains instructions and an email that you must contact to receive payment instructions. Known email addresses are nick.jameson@expressmail.dk and ChiuKhan@tom.com, though these will most likely change over time. At this time, the ransom amount is unknown.

The text of the BUYUNLOCKCODE.txt is:
 

Hi, your ID = JSOXXXXXXXX

All important files were encoded with RSA-1024 encryption algorithm.
There is the only way to restore them - purchase the unique unlock code.

Warning! Any attempt to recovering files without our "Special program" will cause data damage or complete data loss.
As we receive your payment, we will send special program and your unique code to unlock your system.

Guarantee: You can send one of the encrypted file by email and we decode it for free as proof of our abilities.

No sense to contact the police. Your payment must be made to the e-wallet. It's impossible to trace.
Don`t waste your and our time.

So, if you are ready to pay for recovering your files, please reply this email ChiuKhan@tom.com

Then we will send payment instructions.


Fabian Wosar of Emsisoft was kind enough to provide an installer and took a look at the ransomwares encryption routine for us. According to his analysis the malware encrypts your files using AES encryption where the AES key is then encrypted with an RSA key. The encryption routine is done through the FGint open source cryptographic library. Fabian also stated that the entire file is encrypted and that there is no way to decrypt the files without the decryption key.

When infected, the malware will scan all of the data files on your computer and encrypt any files that have the following extensions:


*.crt, *.xls, *.docx, *.doc, *.cer, *.key, *.pem, *.pgp, *.der, *.rtf, *.xlsm, *.xlsx, *.xlsb, *.txt, *.xlc, *.docm, *.ptb, *.qbb, *.qbw, *.qba, *.qbm, *.xlk,*.dbf, *.mdb, *.mdf, *.mde, *.accdb, *.text, *.jpg, *.jpeg, *.ppt, *.pdf, *.cdx, *.cdr, *.bpg, *.vbp, *.php, *.css, *.dbx, *.dbt, *.arw, *.dwg, *.dxf, *.dxg, *.eps, *.indd, *.odb, *.odm, *.nrw, *.ods, *.odp, *.odt, *.orf, *.pdd, *.pfx, *.kdc, *.nef, *.mef, *.mrw, *.crw, *.dng, *.raf, *.psd, *.rwl, *.srf, *.srw,*.wpd, *.odc, *.sql, *.pab, *.vsd, *.xsf, *.pps, *.wps, *.pptm, *.pptx, *.pst, *.zip, *.tar, *.rar
When a file that matches one of the above files is detected, it will encrypt the file and then add .encoded.<unique id> to the end of the file name. For example, a file called example.txt would have its name changed to example.txt.encoded.JS8521121, where JS8521121 is the unique id associated with your infection. It will also create a BUYUNLOCKCODE.txt file in each folder that a file was encrypted. When it has finished encrypting your files it will display the C:\Users\User\AppData\Roaming\SunDevPackUpdate\BUYUNLOCKCODE.txt file and also change your wallpaper to display the following message:
 

wallpaper.jpg


Finally, it will add some registry entries that will delete the original installer and any malware executables that were created.

Update: The ransomware does not appear to delete the Shadow Volume Copies. So it may be possible to restore your encrypted files using a program like Shadow Explorer or Previous Versions. Information about how to do this can be found here in our CryptoWall guide.

If there is any further info that is discovered about this ransomware, we will be sure to publish it here.


Known BUYUNLOCKCODE Ransomware Files:
 
%AppData%\SunDevPackUpdate\
%AppData%\SunDevPackUpdate\BUYUNLOCKCODE.txt
%AppData%\SunDevPackUpdate\pbinfoset.sww
%AppData%\SunDevPackUpdate\wallpp.bmp
Known BUYUNLOCKCODE Ransomware Registry keys:


HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\bcdel	cmd.exe /c del "%AppData%\SunDevPackUpdate\<random>.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\oldex	cmd.exe /c del "path-to-installer\installer.exe"
HKCU\Control Panel\Desktop\Wallpaper	"%AppData%\SunDevPackUpdate\wallpp.bmp"


BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:27 AM

Posted 01 January 2015 - 02:22 PM

Does it erase Shadow Copies like other ransomware as well?

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 01 January 2015 - 02:27 PM

Forgot to mention that. No it does not appear to delete the shadow volume copies.

#4 rp88

rp88

  • Members
  • 2,802 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 01 January 2015 - 07:58 PM

How is this virus being delivered? email atachments? malicious ads? disguised as a legitimate program? Once it has got itslef on a victim's system it clearly pretends to be an innocent sounding background utility but that doesn't suggest how it gets there initially.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 01 January 2015 - 08:12 PM

hat is being distributed through Trojans that masquerade as legitimate program updates or utilities



#6 Zach6656

Zach6656

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 02 January 2015 - 09:10 AM

Im not exactly a pro at encoding... but somebody should create a program that gets rid of this maybe as a .bat file or something (btw is this happenig on linux too?)


Edited by Zach6656, 02 January 2015 - 09:10 AM.

always use DD-WRT for all your routers, if you cant get it for them, throw them away


#7 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,153 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:04:27 PM

Posted 02 January 2015 - 09:35 AM

This malware is delivered via my ISP. (DNS hack.) Good to know Shadow Copies works.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,153 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:04:27 PM

Posted 02 January 2015 - 09:44 AM

P.S. known IP Address for DNS servers that deliver this ransomware are 5.175.225.188 and 109.234.37.98.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 rp88

rp88

  • Members
  • 2,802 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 02 January 2015 - 10:57 AM

" delivered via my ISP." Please explain what is going on there, and how to block such types of attack.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,153 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:04:27 PM

Posted 02 January 2015 - 11:01 AM

Two types:

1. If we set DNS settings in router to auto discover. ISP will send us DNS number that will open Russian popups. (But no ransomware there.)

2. If we set DNS settings in router to user settings. But not change default password. We will got another set of DNS address that will give us ransomware.

 

We think out ISP got hacked.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#11 rp88

rp88

  • Members
  • 2,802 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 02 January 2015 - 11:31 AM

What about for those of us who don't have a router, I just plug an ethernet cable from my machine into a socket on the wall. From this socket wires connect down to a main "hub" of some sort in the block of flats where i live, all the people living here use the same ISP, the one which runs the network already built into the building.


Would this sort of attack just deliver viruses as soon as a user plugged in their ethernet cable, without them needing to visit dodgy websites or download infected files. Is NoScript any kind of protection in this case?

Edited by rp88, 02 January 2015 - 11:31 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#12 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,153 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:04:27 PM

Posted 02 January 2015 - 11:52 AM

I don't know, but to protect it you should change your DNS settings in your router to OpenDNS or Google Public DNS and change router password. You may want to change DNS settings in your devices too.

 

This DNS will redirect user to bad sites, example if I'm at bleepingcomputer.com, then I click on forums link. Instead of me going to www.bleepingcomputer.com/forums I will got redirect to bad website instead, from that point I don't dare to try out.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#13 rp88

rp88

  • Members
  • 2,802 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:27 AM

Posted 02 January 2015 - 01:26 PM

Minitoolbox gives information on which DNS a user currently has doesn't it?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#14 Riidher

Riidher

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oregon City, OR
  • Local time:01:27 AM

Posted 02 January 2015 - 06:41 PM

I usually never say anything in the forums, but this time I want to give a big "Thank you Grinler for bringing this to everybody's attention."  My first thought is Holy **it!! ....  If more of the bad guys start doing this with their malware, there is going to be some real trouble for people.   I don't know enough about the TCP/IP system to really understand how this works.   But the ISP's better get onboard with this as they would have some culpability for delivering it.  The lawyers are going to have a field day.



#15 drmakerev1

drmakerev1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 03 January 2015 - 02:36 PM

I got hit with a ransom ware right after Christmas.....as a business, losing 8 years of work on a workstation is catastrophic....first I reported the ransom ware to the FBI....they might not do much now, but I isolated three sets of files that couldn't be duplicated (real loss), but if the FBI does in fact catch the criminal(s) the RICO act kicks in and I kept that tid bit of evidence.....then I scrubbed the entire system, deep formats, and loaded the 17 TB of back up files, one week lost...but I refuse to pay a hack criminal any money in ransom.....period.....moral of story.....back up everything, offsite.....






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users