Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomeware Encrypted my all important files


  • Please log in to reply
24 replies to this topic

#1 akshaydayal1

akshaydayal1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 20 August 2015 - 07:14 AM

Ransomeware Encrypted my all important files of my desktop and i can not pay them 3 bitcoins as they want me to do.
They encrypted my all drives data and leave a notepad file with a message :-
 
 
Good day. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,
 
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc. 
 
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
 
 
 
All encrypted files contain MW_
 
 
 
 
 
Your number: 93999305000121
 
 
 
To obtain the program for this computer, which will decrypt all files, you need to pay 
 
3 bitcoins on our bitcoin address 1KdciB7TnPWU2bfqR7hpzDdJuYksUyq8SB (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.
 
 
 
You can check bitcoin balanse here -  https://www.blockchain.info/address/1KdciB7TnPWU2bfqR7hpzDdJuYksUyq8SB
 
 
 
After payment send us your number on our mail ttk@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
 
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file.
 
 
 
We dont know who are you. All what we need - it's some money.
 
 
 
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
 
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
 
 
 
You can use one of that bitcoin exchangers for transfering bitcoin.
 
 
 
 
 
 
 
https://www.unocoin.com
 
https://btcxindia.com
 
https://www.bitquick.in
 
https://buysellbitco.in
 
https://localbitcoins.com/country/IN
 
 
 
 
 
 
 
You dont need install bitcoin software - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
 
 
 
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.
 
 
 
 
Kindly Help meeeeeeeeeeeeee........ Plzzzzzzzzzzzz................

Edited by Queen-Evie, 20 August 2015 - 08:33 AM.
moved from Encryption Methods and Programs


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:35 AM

Posted 20 August 2015 - 03:29 PM


Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
About_Files, HOW_TO_DECRYPT_FILES.txt, encryptor_raas_readme_liesmich.txt
RECOVERY_FILES.html, RECOVERY_FILES.txt, Recovery_File_*****.html, Recovery_File_*****.txt
restore_files_*****.html, restore_files_*****.txt (where ***** are random characters)

Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 akshaydayal1

akshaydayal1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 21 August 2015 - 07:44 AM

There is only one file left in every folder which is readable and its name is MW_IN FILES. and its a txt file it has a message :-

 

Good day. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc. 
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
All encrypted files contain MW_
Your number: 93999305000121
To obtain the program for this computer, which will decrypt all files, you need to pay 
3 bitcoins on our bitcoin address 1KdciB7TnPWU2bfqR7hpzDdJuYksUyq8SB (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.
After payment send us your number on our mail ttk@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file
We dont know who are you. All what we need - it's some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
You can use one of that bitcoin exchangers for transfering bitcoin.
You dont need install bitcoin software - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.

________________________________________________________________________________________________________________________

 

I have attached some pictures also kindly have a look.

 

https://drive.google.com/file/d/0B0gt-r6ajZZeUUo0Ym41NFZhNDg/view?usp=sharing


Edited by akshaydayal1, 21 August 2015 - 08:09 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:35 AM

Posted 21 August 2015 - 08:35 PM


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 kloons

kloons

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 24 August 2015 - 04:15 AM

Hello!

 

Got it on server trough network shared disk. So i dont have executable to analyze at the moment.

All i heave is encrypted files with prefix KK_

 

Here are encrypted sample .doc files:

http://files.fm/u/mfoviso

 

And of course KK_ IN YOUR DOCUMENTS..txt readme file with instructions:

 

 

Greetings, your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,
 
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc. 
 
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
 
 
 
All encrypted files contain KK_
 
Your number: 727171000396333
 
 
To obtain the program for this computer, which will decrypt all files, you need to pay 
 
4 bitcoins on our bitcoin address 15bs8hWKN9nYFcjLt1ET9azWFU6kfiK3WH (today 1 bitcoin was 225 $). Only we and you know about this bitcoin address.
 
 
 
 
 
After payment send us your number on our mail nown@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
 
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file.
 
 
We dont know who are you. All what we need - it's some money.
 
 
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
 
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
 
 
 
You can use one of that bitcoin exchangers for transfering bitcoin.
 
 
 
 
 
coinera.eu
 
 
 
 
 
 
 
misterbtc.com
 
decrypto.ee
 
 
 
 
 
 
 
 
You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.
 

Edited by kloons, 24 August 2015 - 04:19 AM.


#6 Ovelheiro

Ovelheiro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 24 August 2015 - 03:26 PM

Hi do you have any of these files with more than 2 MB? Can u upload one original and the encrypted? If you have.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:35 AM

Posted 24 August 2015 - 03:38 PM

@ akshaydayal1, kloons, and anyone else finding their way to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic:

Also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

And it would be helpful to submit a sample to VirusTotal and post a link to the results back here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 kloons

kloons

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 25 August 2015 - 12:02 AM

Hello!

 

Thank You for response.

 

Submitted some files, around 3MB (doc pdf jpg)

 

Still in search for infected machine, that took over shared files.

When i will have files to report, i will submit them.

 

Of course backup was made after encryption and w2003 does not have shadow services .. yupiii...

Did go trough HDD with some file recovery tools - nope, this ransomware does not make copies and then delete originals, it crypts files on the fly.

 

Did find this topic trough search. No other ransomware in other topics did not match symptoms.


Edited by kloons, 25 August 2015 - 12:04 AM.


#9 kloons

kloons

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 25 August 2015 - 12:51 AM

Managed to find one encrypted jpg, and one good:

http://www.files.fm/u/lmvvqxy#



#10 Ovelheiro

Ovelheiro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 25 August 2015 - 02:22 AM

Managed to find one encrypted jpg, and one good:

http://www.files.fm/u/lmvvqxy#

 

Hi,

I tryed with torrentunlocker, the size of the image encrypted is less than the original one, probably because of that the encryption did not work successfully.

Do you have any other kind of document? Like a Doc, Xls or PDF? 



#11 kloons

kloons

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 25 August 2015 - 03:40 AM

Tried with torrentunlocker - it says key found, but result file is unreadable.

 

Uploaded 2 pdf (good and bad) in the same size:

http://files.fm/u/nwiazew



#12 akshaydayal1

akshaydayal1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 25 August 2015 - 03:47 AM

Here is some encrypted files with the same original files please check the link below:-

 

https://drive.google.com/folderview?id=0B0gt-r6ajZZeflJIY25FeVhnMWZzWlQ1LTFkVFpSbnZJSW1xT2poMUhiRmhlWlk4NGdOZzQ&usp=sharing



#13 kloons

kloons

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 25 August 2015 - 03:56 AM

Tried all that kaspersky has to offer for free.. no luck

http://support.kaspersky.com/viruses/utility?cid=utilities-global-FREE-win#

 

Also Panda Unransom did not succeed.

http://malwarefixes.com/category/virus/


Edited by kloons, 25 August 2015 - 04:03 AM.


#14 Ovelheiro

Ovelheiro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 25 August 2015 - 06:07 AM

Have try with torrentlocker but with no success sorry.

Will study more about this encryption method.



#15 ViliusU

ViliusU

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 25 August 2015 - 10:35 AM

Hi all,

 

Yesterday got the same :(

 

 

 

Greetings, your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,
 
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc. 
 
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
 
 
 
All encrypted files contain KK_
 
 
 
 
 
Your number: 727171000480333
 
 
 
To obtain the program for this computer, which will decrypt all files, you need to pay 
 
4 bitcoins on our bitcoin address 1Hg3wZKfa6ztJDpweJQQKc2t9K6RYSgX3g (today 1 bitcoin was 225 $). Only we and you know about this bitcoin address.
 
 
 
 
 
 
After payment send us your number on our mail nown@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
 
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file.
 
 
 
We dont know who are you. All what we need - it's some money.
 
 
 
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
 
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
 
 
 
You can use one of that bitcoin exchangers for transfering bitcoin.
 
 
 
 
 
coinera.eu
 
 
 
 
 
 
 
misterbtc.com
 
decrypto.ee
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
 
 
 
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users