Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Simplelocker


  • Please log in to reply
6 replies to this topic

#1 sage19

sage19

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 29 May 2015 - 06:20 AM

Have customer that brought in a phone that I thought was locked by a standard phone ransomware virus. Said the usual crap, removed it through the normal methods, safe boot, change device administrator, remove infected porn player app and the apk they downloaded that infected them.
Appeared to be a simplelocker ransomware from the best I could see which threatens to encrypt your files, but doesn't. However when I examined the users phone from a pc, I noticed that some of the files had been renamed with a .locked extensions, and that renaming the files revealed that they were damaged / encrypted.
Customer isn't worried about the few photos that were damaged and we got the phone cleaned and working again, but wanted to see if there is a way to decrypt or repair files in this case. I kept a copy of the apk in case it was of any interest to anyone to examine, and a sample of the encrypted files.
I did see that Eset had a simple locker decryptor, but the tool didn't see his files as being encrypted.
Again, no real need to get the files decrypted, its just that at the shop where I work we've been seeing a number of crypto infections and variants and I consider a win anytime I can recover anything. Tired of having to tell customers that their entire digital collection is forever lost to these damned bugs...

Edited by boopme, 29 May 2015 - 11:33 AM.
Moved to General Security


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 29 May 2015 - 01:45 PM

These are the more common file extensions appended to files encrypted by ransomware....ecc, .ezz, .exx, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3 or 6-7 length extension consisting of random characters. I don't recall any with the .locked extension so you could be dealing with something new.

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Samples of any encrypted or malware files that you suspect were involved in causing the infection can be submitted here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=3
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:47 AM

Posted 29 May 2015 - 01:47 PM

quietman7, this is crypto ransomware on a phone - not a PC. I don't know if our ransomware specialists work on phone ransomware though.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 29 May 2015 - 01:53 PM

Still needs to be reported.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:47 PM

Posted 29 May 2015 - 02:16 PM

You can submit the apk to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Also do you have any copies of encrypted files and their unencrypted counterparts? Having the same file in both encrypted and unencrypted form makes it easier to rule out certain encryptions.

Thanks

#6 sage19

sage19
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 29 May 2015 - 10:06 PM

I have encrypted copies but not unencrypted. Also have the original apk.

Correction I have to make though, the modified extension was .lock, not .locked as a I first said, was going from memory.

The files types modified that I saw were jpg and mp4 files, both I think were ones taken by the camera on the android phone. 

Just tried to submit the files, but the first time it game me an error about file size having to be under 5 mb. Will submit again but that only leaves me sending the apk and 2 images. I have 2 100 mb+ videos and 6 locked images. Will send more samples if requested.



#7 sage19

sage19
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 29 May 2015 - 10:15 PM

https://www.virustotal.com/en/file/25edd94ecdd7b1bce783af1c0acfda9ce752f7526c5b1ffe72923537e6194dd4/analysis/1432955352/

 

Here is a link to the virus total analysis. Yesterday it only came up with 2 hits, today 5. Seems to call it a variant of Svpeng, not Simplelocker like it first looked to me.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users