Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

anyone know what ransomware this is?


  • Please log in to reply
31 replies to this topic

#1 sl00thy

sl00thy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 12:33 PM

i cant find anyone who was hit with ransomware - their screen shots were complete diff. 

 

it leaves a html file in ever folder called DECRYPT_INSTRUCTION.HTML

 

 

in it it list this

Your files were encrypted and locked with a RSA2048 key

To decrypt your files:
Download the Tor browser here and go to http://xxxxxx.onion within the browser.
Follow the instructions and you will receive the decrypter within 12 hours.
You have ten days to obtain the decrypter before the price to obtain the decrypter is doubled. Scheduled deletion of the private key from our server is after 30 days - leaving your files irrevocably broken.
Your ID is xxxxxxx

Guaranteed recovery is provided before scheduled deletion of private key on the day of 08/07/2015 09:49:29

Guaranteed recovery is provided before scheduled deletion of private key on the day of 08/07/2015 09:49:29

The price to obtain the decrypter goes from 2BTC to 4BTC on the day of 07/18/2015 09:49:29

 

when you goto the page its this

 

 

Instructions to unlock your files / data:

 

1. Download and install the Multibit application. This will give you your own Bitcoin-wallet address. You can find it under the "Request" tab. Paste this in the "Your BTC-address" field below.

2. Buy Bitcoins, (check DECRYPT_INSTRUCTION.HTML for correct amount based on date) and send it to your own Bitcoin-wallet address, they will show up in the Multibit app that you installed earlier. From there, hit the "Send" tab. Send the remaining BTC (bitcoin) to our Bitcoin-wallet address: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Now submit the form below, only if you've actually sent the Bitcoins. Upon manual verification of the transaction you will receive the decrypter through email within 12 hours. ALL of your files/data will then be unlocked and decrypted automatically.
Do NOT move files around or try to temper them in any way, because the decrypter will not work anymore.

Please remember this is the only way to ever regain access to your files again! If payment is not received within ten days (check DECRYPT_INSTRUCTION.HTML for date) the price for the decrypter is doubled. Scheduled deletion of the key is after 30 days, we will not be able to recover files after this.

Your BTC-address: Your ID: Your Email:  

 

 

our backup was horrible, so we paid the random over 24 hours ago and still received nothing :*(


Edited by sl00thy, 10 July 2015 - 12:34 PM.


BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:38 PM

Posted 10 July 2015 - 12:42 PM

Hi there,

Are you sure DECRYPT_INSTRUCTION is the correct name of the ransom note? Because older variants of CryptoWall used that name, but they explicitly mentioned that it is CW. And currently both variants are no longer in the wild.

Can you take a screenshot of the ransom screen (if it is still there)?

#3 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 12:47 PM

there was no screen that i was aware of, just html files in it every folder it scanned (mapped network drives) 



#4 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 12:51 PM

Untitled.jpg



#5 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 01:10 PM

is there any type of scanner what will detect what it actually is?



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:38 PM

Posted 10 July 2015 - 02:14 PM

Looking at it now..stay tuned. Looks like AES encryption via powershell script and a hard coded public key. Only the ransomware dev knows the private key unfortunately.

#7 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 02:17 PM

well i mean what kind of ransomware it is? maybe im using the wrong term.. i called her and she said there was nothing that popped up, but it could be because we cause it before it finished? it nailed our mapped network drives but didnt get to her drive yet



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:38 PM

Posted 10 July 2015 - 02:32 PM

Its not very sophisticated. It uses a powershell script to look through all the files on your drives that match the extensions listed below. Once a file is detected it encrypts the first 41870 bytes of the file using AES. There is no name for it. DECRYPT_INSTRUCTION.html is created in every folder a encrypted file is found.

*.doc","*.xls","*.docx","*.xlsx","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.pdf","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.php","*.aac","*.ac3","*.amf","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.qtiq","*.srf","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3


#9 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 02:49 PM

thanks, well its been over 24hours since we paid them and no key :(



#10 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 03:03 PM

just thinking out loud, because we stopped it before it encrypted her pc, it just got our shares, could it have not fully sent everything to whoever wrote this? 



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:38 PM

Posted 10 July 2015 - 03:05 PM

It looks like a hardcoded key. Which means there is no key created on the local computer. Once you make payment, they should be able to provide the correct key based on the id in the ransom note.

#12 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 10 July 2015 - 03:41 PM

and i assume nothing of value in the script that dropped the crap on her pc?



#13 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:38 PM

Posted 01 November 2015 - 01:19 PM

please tell me you havent wiped your pc yet, i may have a fix for you.


either reply here or email me at Decryptorbit@outlook.com


Have you performed a routine backup today?

#14 sl00thy

sl00thy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St. Clair Shores
  • Local time:05:38 PM

Posted 01 November 2015 - 01:25 PM

please tell me you havent wiped your pc yet, i may have a fix for you.

either reply here or email me at Decryptorbit@outlook.com


Email sent

#15 Victro

Victro

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:38 PM

Posted 28 January 2016 - 09:36 AM

Hello All,
 
We paid the criminals their ransom and unfortunately their decryption program does not appear to be working. We ran the PowerShell script as suggested in the instructions with no luck. I'm hoping someone else has ran into this and has a fix so we can get our files back. I've attached the files below. The pdf is a sample encrypted file. I would greatly appreciate any assistance! 
 
https://www.sendspace.com/file/l3ojsm
 
Thanks again,

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum, at the request of member assisting OP. ~ Animal




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users