Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New TeslaCrypt variant that appends .aaa to encrypted files?


  • This topic is locked This topic is locked
14 replies to this topic

#1 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 06 August 2015 - 10:20 AM

One of our network share at work got hit with what seems to be a variant of TeslaCrypt, but it appends .aaa to the encrypted files.

Files dropped in folders: restore_files_cxstc.html and restore_files_cxstc.txt

Content of the .txt ransom note:
______!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!______________
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.http://aep554w4fm8j.fflroe598qu.com/$RANDOM_STRING
2.http://aoei243548ld.keedo93i1lo.com/$RANDOM_STRING
3. https://zpr5huq4bgmutfnf.onion.to/$RANDOM_STRING

If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: zpr5huq4bgmutfnf.onion/$RANDOM_STRING
4. Follow the instructions on the site.

IMPORTANT INFORMATION:
Your personal page: http://aep554w4fm8j.fflroe598qu.com/$RANDOM_STRING
Your personal page (using TOR): zpr5huq4bgmutfnf.onion/$RANDOM_STRING
Your personal identification number (if you open the site (or TOR 's) directly): $RANDOM_STRING
Trying to see if I can find a dropper. But if the network share is affected, it might not be on the computer of the user who called us first.

Judging from the Google Search results, it's a new variant.

https://www.google.ca/search?q=cryptowall+.aaa&oq=cryptowall+.aaa&aqs=chrome..69i57.3316j0j7&sourceid=chrome&es_sm=93&ie=UTF-8

I cannot use Tor at work. If someone here can (a Staff member), I can PM you the $RANDOM_STRING so you can access the ransom pages and see if you can grab anything off them.

Edited by quietman7, 06 August 2015 - 04:25 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 06 August 2015 - 11:28 AM

I got the droppers I think. Sent them via PM to Grinler. Cryptoanalysts if you need them, send me a PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 06 August 2015 - 02:28 PM

Files that were dropped in the userprofile.

C:\Users\$USERNAME\AppData\Roaming\svcxqi.exe - https://www.virustotal.com/en/file/e4653e6b957f290e83383534da50e98384f1410c1379c4d74b36cea3a211a419/analysis/1438889207/
C:\Users\$USERNAME\AppData\Roaming\svcvlv.exe - https://www.virustotal.com/en/file/406b8ddef058456328bcee893d6c576f10d24e495c7c26b05c867c96e31ccb16/analysis/1438889204/
C:\Users\$USERNAME\AppData\Roaming\vgPezjBs\RABJvouM\LUpExoHv\dFIbhXSxb.exe - https://www.virustotal.com/en/file/4931219963af369709a99efcd81fb8dcdea5a46feaa591a848066f01c2b34aed/analysis/1438889213/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:51 AM

Posted 06 August 2015 - 03:17 PM

That's a lot of detections for a new variant. Guess it's just minor modifications - the dropped file names and added extension to identify the ransomware.

#5 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 06 August 2015 - 04:09 PM

Yup. What's weird is that Malwarebytes detects the first two executables as TeslaCrypt too.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 PM

Posted 06 August 2015 - 04:17 PM

Unless things have changed, since CryptoWall does not change extensions on a file, I would suspect a new variant of TeslaCrypt and possibly a dual infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 06 August 2015 - 04:23 PM

That would make sense (that's what we are discussing in the IRC right now). quietman, could you change the thread title from Cryptowall to TeslaCrypt please? It would be more appropriate I think.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 PM

Posted 06 August 2015 - 04:26 PM

Topic title has been changed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 06 August 2015 - 04:41 PM

Thank you quietman :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 PM

Posted 06 August 2015 - 04:44 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 12 August 2015 - 07:55 AM

We got another infection from that variant two days ago. A computer that act as a server in one of our store got hit.

https://www.virustotal.com/en/file/b887b72f32e3894b8d56d37e768646fd790b06a16edeafbdb08e383712c71221/analysis/1439213030/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 BloodDolly

BloodDolly

  • Security Colleague
  • 473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:04:51 AM

Posted 12 August 2015 - 10:51 AM

.aaa variant of TeslaCrypt is nothing new. It preteends to be CryptoWall 3.0, but it is not. Basically it is the same as .xyz and .zzz variants. So no data file is stored on disk and information stored in registry contains only public keys and shared secrets. There is no way how to decrypt files without their private key except you have logged request sent to server in time of encryption.



#13 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 12 August 2015 - 10:53 AM

Well until a few days ago, I didn't see it mentionned anywhere else. Even Google returned only 4-5 results that dated from a few days ago.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 aj138

aj138

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 12 August 2015 - 04:30 PM

first and foremost, a sincere and big thank you to all of you who are helping the infected and helpless masses - many many thanks!

 

ok, so i must have gotten infected sometime late last night, right before putting the pc (xp sp3 home with only 19gigs of total hd space - 16gigs of it used) on standby and going to bed. note: i do NOT open any emails on that pc, ever, i had to have gotten bit from an infected page (i was visting politically themed blogs, one of them must have got me). anyway, i turned on the pc today and noticed some weird files (with .aaa extension) and new icons on desktop, but no official ransom page yet. i immediately disconnected ethernet  cable and the 2 external hd's (ive managed to check one of them and thank goodness it doesnt appear to have been compromised, the other one im afraid to check so im putting it off for later). went to startup via ccleaner and confirmed that two (maybe three) new items were added, disabled them.

 

i was afraid to stay on the infected pc, so im speaking from memory, which is a bit hazy about exact details, though logs were made - plz forgive me for the vagueness of the next few details but... using something to halt processes, i halted processes, then used JRT, which did something (wish i could remember what). then scanned using AdwareCleaner (the one available here at bleepingcomputer), and it found several files which i let it "clean". when done it asked to reboot, i said yes. once fully restarted i then got the official ransom page. went to my music folder, double clicked a song, and it played. i then shut the pc down again, and restarted it using bitdefender rescue disk on cd, and did a scan. it found "1 threat in 2 items still present" on the pc, the one listed as "gen:trojan.heur.autoIT.1", and thats where im at currently - afraid or unsure of what to do or not to do. having read about the teslacrypt for the past few hours, i dont want to risk losing anything which might help decrypt whatever files have been encrypted. so here are my questions:

 

should i let bitdefender clean the trojan? if yes, should i delete or disinfect it? what should i do after that? will dolly's tool work with the .aaa file extension? if not or if it fails because the key is gone, whats my next step?

is there an automated program that can gather the pieces i need to save and put away for possible future release/leak of a key?

 

what do i need to do to return to "normal" computing/surfing? is there an automated program to remove the requisite entries/files/executables for the ransomware? or is that what the scanners have already removed? note: as a final step i will run eset's free scanner on it...

 

probably not, but should i run malwarebytes' anti-rootkit? should i run combofix?

 

again thanks for any help, and plz forgive my noobishness - especially for possibly posting in the wrong thread. i notice alot of guests viewing this thread and i imagine at least some percentage of them are like me, dumbfounded and lost as to what exactly to do next. mind you i read the two faqs for crypto/tesla (so i wont trouble you for exact file recovery methods), but i still couldnt quite be sure of the specific actions to take next! so any help or guidance anyone can offer would be greatly appreciated!

 

*remember im paused at the end of a bitdefender scan with two items awaiting action. please advise me on the best next immediate action to take - thank you!

 

 

 

 

 


Edited by aj138, 12 August 2015 - 04:34 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 PM

Posted 12 August 2015 - 04:39 PM

:welcome: to Bleeping Computer.

A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:
TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt

There are ongoing discussions in these topic:Rather than have individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users