Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ransomware or similar ?


  • Please log in to reply
17 replies to this topic

#1 ipunis

ipunis

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 22 March 2015 - 11:09 AM

Hi there,

 

it seams that we have new Ransomware or something similar arround. Yesterday a client give me a HDD (with windows 7 pro) and all data files (jpg, txt, docx, dbf, zip. rar  ...) were encrypted. I don't realy know what was the message they had on screen but he told me that it was asked to pay about 400 euros for decrypton of his data.

 

Here is what I know until now about the infection.

 

On one croatian forum http://www.bug.hr/forum/topic/vijesti-by-forumasi/ransomware-napada/223333.aspx they talk about it but no solution jet to decrypt data.

 

Attack on files was on Wensday 18.03.2015 at about 13:30 on all computers that have reported problem.

 

The filename is changed in FILENAME.EXTENSION.id-xxxxxxxxxx_sos@anointernet.com where xxxxxxxxxx is a 10 digit number.

 

What I can see what is the difference between encrypted and decrypted file.

 

First 30000 bytes of file are encrypted (7530 HEX)

 

At the end on the file (after the real end of file) 4 random bytes are added

 

As for the client most important were DBF files I did some rescue with HxD Hex editor where I replace first 30000 bytes on encrypted file with 30000 bytes from older backup that was not encrypted but it was about 3 month old. Fortunatly, DBF file grove sequentialy so the beginning of file is same on both version of file and now I have some data restored.

 

Problem is where encrypted DBF file is smaller than 30000 bytes. Then whole file is encrypted so I can't just add the beginnig because don't know if there are some changes from last backup.

 

I don't know a lot about encrypting and decrypting but if there is someone tkat is interesed in case I have several files before and after encryption.

 

Thanks in advance.

 

Ivo


Edited by ipunis, 22 March 2015 - 11:11 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 AM

Posted 22 March 2015 - 02:58 PM


The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3
with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:05:09 AM

Posted 22 March 2015 - 05:14 PM

Could you upload a sample to Mega and provide me a link so I could take a look at it?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#4 ipunis

ipunis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 22 March 2015 - 06:33 PM

I did it. 

 

White Hat Mike, I send you a PM with link to file.

 

Ivo



#5 ipunis

ipunis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 22 March 2015 - 06:35 PM

As I have read about it malware is self destroy one, so I don't have any suspicious executable until now.



#6 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:05:09 AM

Posted 22 March 2015 - 06:35 PM

I did it. 

 

White Hat Mike, I send you a PM with link to file.

 

Ivo

 

Do you have the actual malicious PE (executable [.exe]) file that holds the malware's payload?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#7 ipunis

ipunis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 22 March 2015 - 06:37 PM

I have a HDD in my office but didn't try to find that executable, any where to look for it ?

 

Ivo



#8 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:05:09 AM

Posted 23 March 2015 - 09:23 AM

I have a HDD in my office but didn't try to find that executable, any where to look for it ?

 

Ivo

 

What type of operating system?  Make sure to image the drive and mount it using a LiveCD of Linux (CAINE, Kali) or other forensic software to preserve any data...  don't boot up the physical machine with the infected HDD attached if you can avoid it.

 

Common locations on Windows:

 

%LocalAppData%

%Temp%

%ProgramData%


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#9 ipunis

ipunis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 25 March 2015 - 02:02 AM

Windows 7 x64, I tr to find something suspicious but didn't find anything.

 

Ivo



#10 alex_kolarski

alex_kolarski

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 25 March 2015 - 03:59 AM

Hi ipunis,

 

I have a friend who got the ransom and I tried to decrypt it, but I don't have a backup file (before the virus file).

If you have before & after encryption file that would be awsome to determine the type of encryption and ways to decrypt it. 

 

Best regards



#11 ipunis

ipunis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 25 March 2015 - 10:00 AM

Hi alex_kolarski,

 

I have it. There is a link in your PM and you can get it.

 

Thank you for replaying.

 

Ivo



#12 ipunis

ipunis
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 26 March 2015 - 03:43 PM

Did you look at your private messages ?



#13 alex_kolarski

alex_kolarski

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 27 March 2015 - 09:03 AM

Yes, thanks! I'm still struggling to find out the type of encryption. What I found is that my files and yours start with the same bits (signature). I was wondering if those 4 bits appended at the end of the file are the key to the encryption. Tried some XOR decryption with those 4 bits as key - no luck there. Now I got some more help from friends, and we are searching now for the executable that encrypted the files in the first place and try to decomple it and reverse engineer the encryption that way. Be we could not lay hands still on the encryption executable.

If we do we are planning to run a Virtual Machine and infect the machine to see exactly how the virus behaves :)


Edited by alex_kolarski, 27 March 2015 - 09:06 AM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 AM

Posted 27 March 2015 - 10:26 AM

Based on some of the comments here, this ransomware appears to be similar to the one reported in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 alex_kolarski

alex_kolarski

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 27 March 2015 - 10:54 AM

Thank you very much. They have uploaded a decrypter program that will require some keys & etc, but that is huge benefit to understanding what encryption is this and how it works !!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users