Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Bit Cryptor virus


  • Please log in to reply
22 replies to this topic

#1 soreilly

soreilly

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East, UK
  • Local time:08:50 PM

Posted 12 May 2015 - 07:21 AM

Good Morning,

 

Until this morning my main PC (Windows 7 x64) has not exhibited any issues.  I woke up this morning and logged on to find the "Bit Cryptor" virus running and all files on my PC and NAS(!) encrypted.

 

I've got some files backed up from my NAS to a USB drive and those on the USB drive do not appear to be encrypted however the backup is around 3 - 4 weeks old (not a major issue).

 

The "Bit Cryptor" program has a countdown clock (61hrs left at time of posting) and is requesting payment of 1 bitcoin.

 

Screenshot attached here:

 

Capture.jpg

 

 

Help,

 

Thanks.

 

Stuart.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 12 May 2015 - 08:27 AM

The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3
with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:50 PM

Posted 12 May 2015 - 08:36 AM

Thanks... we are trying to track down the sample. If you can, please submit the malware file to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#4 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:50 PM

Posted 12 May 2015 - 12:52 PM

Interesting...  in for a sample.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#5 soreilly

soreilly
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East, UK
  • Local time:08:50 PM

Posted 12 May 2015 - 12:55 PM

Afternoon Guys,

 

Sample file (Excel Spreadsheet) has been uploaded.  If I can find any suspect executable files I'll upload them as well. 

 

Edit:  Have also managed to find the .exe believed to be responsible - bclock.exe - and have uploaded it.

 

Regards,

 

S.


Edited by soreilly, 12 May 2015 - 01:22 PM.


#6 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:50 PM

Posted 12 May 2015 - 12:57 PM

Afternoon Guys,

 

Sample file (Excel Spreadsheet) has been uploaded.  If I can find any suspect executable files I'll upload them as well. 

 

Regards,

 

S.

 

It looks like you can minimize the window displaying the ransom note.  Is that so?  If so, please press ALT TAB to minimize the ransom window.

 

Then press CTRL ALT DELETE and launch Task Manager.  Look for the process that is running, that is showing the ransom note, and trace it back to the executable; although, this may simply be a decryption program rather than the program that performed the encryption, it's worth a shot.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#7 soreilly

soreilly
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East, UK
  • Local time:08:50 PM

Posted 12 May 2015 - 01:01 PM

Hi Mike,

 

The minimize button on the ransom window is greyed out.  Only the maximise and close buttons are available. 

 

Tried accessing Task Manager but no go.  When I select Task Manager I see the window briefly pop up before some process in the background closes it.

 

Regards,

 

S.



#8 Ahmed90

Ahmed90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 12 May 2015 - 01:12 PM

Hello,

 

i got hit by this thingy yesterday it blocks CMD, Taskmanager etc.. 

but i had proccesslasso and was able to find and disable it.. aka kill proccess then Shift/delete it the sucker 

it was called bclock.exe in C:\Users\[MyUserName]\AppData\Roaming\Microsoft

 

with 2 files (no extensions) the encrypted files list in txt format and something called sfile (not sure if its related to the thingy)  it was ini format with [settings] section and a fingerprint= entry with some long key in it 

 

 

too bad i don't have the files anymore since i just formatted the PC but i still have many encrypted files in other drives if its needed



#9 soreilly

soreilly
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East, UK
  • Local time:08:50 PM

Posted 12 May 2015 - 01:18 PM

Hi Ahmed,

 

Thanks for that.  Just found bclock.exe in C:\Users\<Username>\AppData\Roaming\Microsoft\Windows

 

Also have the filelist.locklst file which contains a list of all files encrypted. 

 

Finally I have the sfile which contains the following:

 

[settings]
fingerprint=C7B3-2436-4E33-218A-E5EA-9075-918C-76FC
 
 
Regards,
 
S.


#10 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:50 PM

Posted 12 May 2015 - 01:34 PM

Edit -- I actually think bclock.exe may be a legitimate Windows executable...  someone else can confirm.


Edited by White Hat Mike, 12 May 2015 - 01:36 PM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#11 Ahmed90

Ahmed90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 12 May 2015 - 01:34 PM

i suspect that sfile have something to do with the encryption 1 thing for sure its not smartly coded it can be terminated and deleted with few clicks

 

 

too bad its too late for my files :/ 



#12 soreilly

soreilly
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East, UK
  • Local time:08:50 PM

Posted 12 May 2015 - 01:40 PM

Edit -- I actually think bclock.exe may be a legitimate Windows executable...  someone else can confirm.

Hi Mike,

 

Don't have an account on Mega but have uploaded it to my server and renamed it to bclock.exe.bak

 

Link removed. 

 

Regards,

 

S.


Edited by soreilly, 12 May 2015 - 01:41 PM.


#13 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:50 PM

Posted 12 May 2015 - 01:47 PM

Got it.  Definitely malicious; guess that answers my prior question.  Taking a quick look at it.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#14 soreilly

soreilly
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East, UK
  • Local time:08:50 PM

Posted 12 May 2015 - 01:50 PM

These are the file properties for the bclock.exe file:

 

FileProperties.jpg

 

FileProperties2.jpg



#15 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:50 PM

Posted 12 May 2015 - 02:15 PM

Quick BitCryptor Analysis:

 

BitCryptor comes from the "CoinVault Family", and is Exactly the same except for a newly added Email function that not only grabs all ur contacts and sends them to the server, it also grabs your conversation.

 

BitCryptor is encrypted with a custom xor key, and then packed into a RUNPE (SHIELD) injector. After stripping these layers of protection, all that remains is the old .net CoinVault code that we have been so familiar with.

 

BitCryptor uses AES 256, and is unbreakable. The key and IV is made client side, and sent to the server. Because of this the only way to decrypt the files is access to the server and grab the keys. 

 

Creates 2 files:

Sfile - Settings file with ur PC fringerprint to send to server to get info.

filelist.locklst - List of files and boolean if they have been encrypted.

 

BitCryptor will remove all shadow copies on first run and attach itself to startup in the registry.

 

 

CryptoMonitor Already blocks this Ransomware without any updates:

 


Have you performed a routine backup today?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users