Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to Decrypt Ransomware name "WHAT IS SQ_" ?


  • Please log in to reply
7 replies to this topic

#1 oDarkIceo

oDarkIceo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 21 July 2015 - 02:23 AM

It renamed all files from "filename" to "sp_filename" and created "WHAT IS SQ_.txt" in all folders.
Now I can't open all files. Could you please help me?
 
Image: 
11237919_738650139594472_809358552580870
 
Message in the "WHAT IS SQ_.txt"
 
----------------------------------------------------------------------------------------------------
Hi.
 
Your files have been crypted by 2 algoritms - AES and RSA. Only we have private RSA key
 
All encrypted files now starting with sq_
 
 
 
 
 
You can buy our decryptor that will recover all your files. You need:
 
1) Send us 3 bitcoins on our bitcoin address 1EWWZb486HriwWfLWKs7wsnvPsx6ZDsC5t (Now 1 bitcoin approximately = 260 $)
 
Only we and you know about this address, so we will understand that its your payment. 
 
You can check the balance of this address here https://blockchain.info/address/1EWWZb486HriwWfLWKs7wsnvPsx6ZDsC5t
 
2) Send us your unique identificator on our mail ke17@ruggedinbox.com and write us that you have been paid.
 
   You dont need send us any confirmation of your payment (we have installed bitcoin software and we will check your payment with this software)
 
3) Wait 1 or 2 or... 24 hours and we will send you decryptor (it is very easy to use it - you
 
need only run decryptor executable file and wait 1-10 hours and all files will be decrypted)
 
 
 
If we dont anwser on your letter more than 1 day then make your own mail account on www.ruggedinbox.com
 
(This action is very simple and takes 1-2 minutes) and send us your letter again 
 
(some mail servers (for example hotmail.com and outlook.com) blocking letters to www.ruggedinbox.com)
 
    
 
Your unique identificator: 331-638-442
 
    
 
You can use one of those sites to change your money to bitcoins:
 
 
 
https://coins.co.th/en
 
https://bitcoin.co.th/merchants/
 
https://localbitcoins.com/country/th
 
www.howtobuybitcoins.info/th.html
 
www.goldux.com
 
www.kraken.com
 
www.bitquick.co
 
 
 
 
 
You dont need install any bitcoin software - you need only find bitcoin exchange service (also you can try find it here for your country http://www.google.com)
 
 
 
Additional information: before payment you can send us one small file (not bigger than 300 kilobytes).
 
and we will decrypt it before payment (also you need send us your unique identificator).
 
    
 
After that, we think that it will be evident that we have the program that can decrypt your files.
 
 
 
We dont want to destroy your files! We only need some money!
----------------------------------------------------------------------------------------------------

Edited by quietman7, 21 July 2015 - 06:03 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 21 July 2015 - 05:33 AM


The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 oDarkIceo

oDarkIceo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 21 July 2015 - 05:44 AM

Hi quietman7,

We already submitted malware files (Ransomware name "WHAT IS SQ_").

We will be waiting for your help.



#4 bentlynabata

bentlynabata

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:04:57 PM

Posted 22 July 2015 - 02:11 AM

We have the same scenario. Most of the files that get encrypted are on our Fileshare. I also submitted an encrypted file for your further evaluation and investigation about the file. Thanks

 

By the way the incedent occur July 20, Monday. Asian time.

 

What%20is%20SQ_zpsjuxekrp1.jpg

 

________________________________________________

Hi.

Your files have been crypted by 2 algoritms - AES and RSA. Only we have private RSA key

All encrypted files now starting with sq_

You can buy our decryptor that will recover all your files. You need:

1) Send us 3 bitcoins on our bitcoin address 1GJhsxp3jwfL2thkh5sKVyRuomdYopm2mj (Now 1 bitcoin approximately = 260 $)

Only we and you know about this address, so we will understand that its your payment.

You can check the balance of this address here https://blockchain.info/address/1GJhsxp3jwfL2thkh5sKVyRuomdYopm2mj

2) Send us your unique identificator on our mail ke17@ruggedinbox.com and write us that you have been paid.

   You dont need send us any confirmation of your payment (we have installed bitcoin software and we will check your payment with this software)

3) Wait 1 or 2 or... 24 hours and we will send you decryptor (it is very easy to use it - you

need only run decryptor executable file and wait 1-10 hours and all files will be decrypted)

If we dont anwser on your letter more than 1 day then make your own mail account on www.ruggedinbox.com

(This action is very simple and takes 1-2 minutes) and send us your letter again

(some mail servers (for example hotmail.com and outlook.com) blocking letters to www.ruggedinbox.com)

Your unique identificator: 331-064-442

You can use one of those sites to change your money to bitcoins:

www.exchangercoin.com

https://coins.co.th/en

https://bitcoin.co.th/merchants/

https://localbitcoins.com/country/th

www.howtobuybitcoins.info/th.html

www.goldux.com

www.kraken.com

www.bitquick.co

You dont need install any bitcoin software - you need only find bitcoin exchange service (also you can try find it here for your country http://www.google.com)

Additional information: before payment you can send us one small file (not bigger than 300 kilobytes).

and we will decrypt it before payment (also you need send us your unique identificator).

After that, we think that it will be evident that we have the program that can decrypt your files.

We dont want to destroy your files! We only need some money!



#5 mazaruz

mazaruz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 03 February 2016 - 11:14 PM

Hi,

 

Not sure if we could found the way to help with this type of malware yet? 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 04 February 2016 - 07:35 AM

No updates that I am aware of to report.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:57 AM

Posted 10 February 2016 - 10:04 AM

I can't find a single reference to this ransomware apart from junk sites indexing this BC post.

 

Does someone have a dropper, and encrypted/clean pair of files? Preferably PNG. I'd like to see if I can at least take a look to see if I can figure what it is doing. Please send via PM.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:57 AM

Posted 01 December 2016 - 09:42 AM

Another variant of this appears to us "vo_", so files would be renamed to "vo_picture.jpg". The note is "VO_ IN DOCUMENTS..txt". We are still looking for a sample of the malware to analyze.



Good morning. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,

files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc. 

Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.



All encrypted files contains VO_





Your number: 338888409888891



To obtain the program for this computer, which will decrypt all files, you need to pay 

4 bitcoins on our bitcoin address 1FWTrWjA6QKuzEbE7pYtXWH8GU2jhndar2 (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.



You can check bitcoin balanse here -  https://www.blockchain.info/address/1FWTrWjA6QKuzEbE7pYtXWH8GU2jhndar2



After payment send us your number on our mail pwwu@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)

Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file.



We dont know who are you. All what we need - it's some money.



Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com

it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)



You can use one of that bitcoin exchangers for transfering bitcoin.



https://www.korbit.co.kr

https://www.coinplug.com

https://ko-kr.facebook.com/coinplug





You dont need install bitcoin software - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.



Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.






















...

컴퓨터가 랜섬웨어에 의해 잠겨 있습니다 개인 파일은 암호화되며, 당신은 불행하게도 모든 사진을 "손실"한

컴퓨터 파일과 문서. 중요한 파일 암호화는이 컴퓨터에 생성 : 동영상, 사진, 문서 등

암호화는이 컴퓨터에 생성 된 고유 공개 키 RSA-1024을 사용하여 제조 하였다. 파일의 암호를 해독하려면 개인 키를 획득해야합니다.



모든 암호화 된 파일은 VO_

을 포함



전화 번호 : 338888409888891



모든 파일의 암호를 해독 할,이 컴퓨터 프로그램을 구하려면, 당신은 지불 할 필요가

우리의 비트 코인 주소 1FWTrWjA6QKuzEbE7pYtXWH8GU2jhndar2 에서 4 bitcoins (오늘 1 비트 코인은 260 이었다). 단지 우리와이 비트 코인 주소에 대해 알고.



https://www.blockchain.info/address/1FWTrWjA6QKuzEbE7pYtXWH8GU2jhndar2 - 여기 balanse을 비트 코인 확인할 수 있습니다



지불 한 것은 (당신은 단지 필요를 실행하고 모든 파일이 1..3 시간 동안 암호를 해독 할 것이다) 우리의 메일 pwwu@ruggedinbox.com 우리에게 전화 번호를 보내 우리는 당신에게 암호 해독 도구를 보내드립니다

지불하기 전에 당신은 우리에게 하나의 작은 파일 (100..500 킬로바이트)를 보낼 수 있습니다 우리는 암호를 해독합니다 - 우리가 해독 도구가 당신의 garantee입니다. 그리고 첨부 파일로 우리에게 번호를 보내.



우리는 당신을 누구 잘 모릅니다. 모든 우리는 필요 - 그것은 돈이다.



우리는 24 시간에 당신을 응답하지 않는 경우 당황하지 마십시오. 그것은 당신이 사용하는 경우 우리가 (예를 들어, 당신의 편지를받지 않았 음을 의미 hotmail.com 또는 outlook.com

이 편지를 차단할 수 있습니다, 그래서 HOTMAIL.COM 및 OUTLOOK.COM를 사용하지 마십시오. 당신은 (그것을 것 1..2 분 소요) www.ruggedinbox.com에 메일 계정을 등록하고 우리를 다시 작성해야합니다)



당신은 비트 코인 전송하는 비트 코인 기 중 하나를 사용할 수 있습니다.



https://www.korbit.co.kr

https://www.coinplug.com

https://ko-kr.facebook.com/coinplug



당신은 그나마 비트 코인 소프트웨어를 설치해야합니다 - 당신이 필요로하는 단지 당신이 당신의 나라를 위해 www.google.com을 찾을 수있는이 기 또는 다른 교환기 중 하나를 사용합니다.



당신의 편지에서 영어를 사용하십시오. 당신이 영어를 못하는 경우 영어에 당신의 편지를 번역하는 https://translate.google.com를 사용합니다

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users