Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.LOL! (.OMG!) Ransomware Support & Help Topic


  • Please log in to reply
82 replies to this topic

#1 adikbum

adikbum

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 30 June 2015 - 10:36 PM

Dear All 
 
Need your help all my document at File server become *.LOL!. and automatic create file how to get data.txt. Need help urgent
 
JOKE
Hello boys and girls! Welcome to our high school "GPCODE"! 
If you are reading this text (read this very carefully, if you can read), this means that you have missed a lesson about safety and YOUR PC HACKED !!! Dont worry guys - our school specially for you! The best teachers have the best recommendations in the world! Feedback from our students, you can read here:
1)http://forum.kaspersky.com.2)http://forum.eset.com 3)http://forum.drweb.com 4)   www.forospyware.com As you see- we trust their training,only we have spesial equipment(cryptor.exe and decryptor.exe).ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿOnly here you will get an unforgettable knowledge!
The lesson costs not expensive. Calculate the time and money you spend on recovery. Time is very expensive, almost priceless.We think that it is cheaper to pay for the lesson and never repeat the mistakes.We guarantee delivery of educational benefits(decryptor.exe). First part(cryptor.exe) you have received :-)
                       SERIOUSLY
Your important files (photos, videos, documents, archives, databases, backups, etc.) which were crypted with the strongest military cipher RSA1024 and AES.No one can`t help you to restore files without our decoder. Photorec, RannohDecryptor etc repair tools are useless and can destroy your files irreversibly.
If you want to restore files - send e-mail to  gpcode@mail2tor.com     with the file "how to get data.txt" and 1-2 encrypted files less than 2 MB. PLEASE USE public mail like yahoo or gmail.
You will receive decrypted samples and our conditions how you`ll get the decoder. Follow the instructions to send payment.
P.S. Remember, we are not scammers. We don`t need your files. After one month all your files and keys will be deleted.Oops!Just send a request immediately after infection. All data will be restored absolutelly. Your warranty - decrypted samples and positive feedbacks from previous users.
 
 
====================
7DA56417E80C1AEE5222A71B16C8BCF6B1F68EE6995E04D93382AC8AACF11672
7AD71C0EE85F760CAA04EEA4133F5FCA39DF6CA3E9508C6B7556FA9856E0B87B
E468B6DB712DE42BDE3D1362C75B9DD858B1FA637600F24D572DD2F5F1093270
8ADA6DCF51FFEB555A6539743D625603E8EC6F5DF1B76ACA8E8993731A58CD07
155D5E5D30700F76CE2FAC8DA286ADCEC5EB9890B1951E6D29D6C304112431CF
====================

BC AdBot (Login to Remove)

 


m

#2 adikbum

adikbum
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 01 July 2015 - 09:36 PM

anyone can help me.  :bubbles:



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 04 July 2015 - 02:52 PM


The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:12 PM

Posted 04 July 2015 - 05:14 PM

Do you know how the server became infected? Any samples of the malware if you do? If so, please submit to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#5 dvcompt

dvcompt

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 18 July 2015 - 08:49 AM

Hello, I have the same problem.
someone found a solution to decrypt those files
 
Thanks for reply, david


#6 Bavo90

Bavo90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Queendsland, Australia
  • Local time:06:12 AM

Posted 06 September 2015 - 11:27 PM

I too am having this issue, almost all my files have been encrypted, including my network stored backups.

 

I have submitted a sample document.



#7 eric.wyckmans

eric.wyckmans

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 24 September 2015 - 02:22 AM

same problem here.

I was able to recover som files from a backup, but a seperate backup files for other data was also infected.

problem started September 22nd last at 9:41am

It seems to be a variant of gpcode.ak which changed all office files, pdfs etc to .OMG!

I'll upload some good and encrypted files and I hope someone will find a solution to this



#8 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:12 PM

Posted 24 September 2015 - 01:46 PM

If you have the sample -- the payload file (exe file) that delivers the malware -- I will analyze it for you if you upload it to Mega and PM me the link.

 

Common places to look for this file:

 

%Temp%

%LocalAppData%

%AppData%\Roaming

%ProgramData%


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#9 eric.wyckmans

eric.wyckmans

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 26 September 2015 - 05:13 AM

Hi Mike,

it's hard to determine the payload file. I have a lot of exe files, amongst them are wordpad.exe, system.exe, messenger.exe... apparently he used crypter Zeus by LeonDK.

I can upload all the exe files if you want.

Malwarebytes detected the follow exe's as being backdoor.poisonivy: msdn.exe, document.exe, iexplorer.exe

It also detected trojan agents: system.exe, ieplorer.exe, svchost.exe, system(1).exe, system(2).exe

some of the are in a downloads folder and some are in the Application Data folder.

I also detected a Xenocode folder in local settings\application data... In the Xenocode folder there is a folder named Sandbox with subfolders microsoft security essentials, Google, MSDN, GMAI, gmail.com

Eric



#10 robinofsherwood

robinofsherwood

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 01 December 2015 - 06:00 AM

Hello,

since yesterday i have the same problem adikbum. Could you please help me? I have the same problem as adikbum, and the same info as He.

 

Thanks

Daniel



#11 Dukeboi

Dukeboi

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 02 December 2015 - 12:09 PM

Same issue here. Can't seem to find a fix for the .lol!

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 02 December 2015 - 02:36 PM

Fortunately this is not a widespread infection. Unfortunately, since it is not widespread there is very little information. The only reports I have seen are in this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 VirusD

VirusD

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 December 2015 - 05:53 PM

I too have some .LOL! files that have been encrypted. Some of the original file types were .ai, .bat, .xlsx, .pdf, .jpg, etc. Though I do have many before and after versions of the encrypted files, nothing seems to be able to decrypt them as of yet.

The same "how to get data.txt" file is left behind through all directories. I was able to find specifically which account it originated from and disabled the account, but cannot find any payload responsible.

 

The text file ends with:

...

P.S. Remember, we are not scammers. We don`t need your files. After one month all your files and keys will be deleted.Oops!Just send a request immediately after infection. All data will be restored absolutelly. Your warranty - decrypted samples and positive feedbacks from previous users.
 
 
====================
5E89FD2F286F491B2E287E793F8E3B05418D420DECBFFB0C2D0640B961FA7AE9
EE06805F193E1583C0A8BDAA79358774D658AA2A19EEBBB557D771CDB6AF8E30
02135002522F2EF3746EA4E2D089B39F7B2ABB534D727B35713EF6C29BA5C41A
69D72E1EE9E60F123729BA71995C1A28D5268DF293755A5F8346070976D53075
155D5E5D30A043A6CEA418C4848CACE098541480CC9080889A1C747424ECECC4
====================


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 02 December 2015 - 06:38 PM

This ransomware infection appears to be related to Symantec's description of OMG! Trojan.Ransomcrypt.G which uses the same “how to get data.txt” file with a P.S. Remember, we are not scammers... and string of random characters at the end.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 VirusD

VirusD

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 December 2015 - 10:32 AM

What steps can the affected take to possibly decrypt the files without paying the ransom?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users