Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptowall 3 question


  • This topic is locked This topic is locked
7 replies to this topic

#1 QQQQ

QQQQ

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 17 September 2015 - 11:31 AM

Had a customer get hit with this yesterday, email attachment of .doc. Their documents folders are redirected to the server so it started encrypting files on the server, I think. File extensions were changed to random 3 numbers so I thought they were encrypted at that point. After a restore from tape backup (Symantec backup Exec) the extensions were still random 3 digits? If I renamed the file extensions to .wpd they would open fine in Wordperfect. I am thinking we caught it before it could fully execute it's payload. 

Question is how does this spread across shares and mapped drives? Does it push an executable across the share/mapped drive and let it run on the server? I did see a process running on the server of kf51977.exe which I immediately ended, but every minute or so it came back with a slightly different name. I then rebooted the server and that exe stopped running.

The original attachment said it was a Word .doc, I uploaded it to virustotal and got 8/56 hits that said it was a downloader. 

Anyone know how this evil process works and maybe a way to prevent it? I did some reading on CyrptoPrevent and was wondering if that would stop it on a server? (Server 2003)

Yes they are getting a new server soon!



BC AdBot (Login to Remove)

 


#2 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:57 PM

Posted 17 September 2015 - 12:13 PM

Had a customer get hit with this yesterday, email attachment of .doc. Their documents folders are redirected to the server so it started encrypting files on the server, I think. File extensions were changed to random 3 numbers so I thought they were encrypted at that point. After a restore from tape backup (Symantec backup Exec) the extensions were still random 3 digits? If I renamed the file extensions to .wpd they would open fine in Wordperfect. I am thinking we caught it before it could fully execute it's payload. 

Question is how does this spread across shares and mapped drives? Does it push an executable across the share/mapped drive and let it run on the server? I did see a process running on the server of kf51977.exe which I immediately ended, but every minute or so it came back with a slightly different name. I then rebooted the server and that exe stopped running.

The original attachment said it was a Word .doc, I uploaded it to virustotal and got 8/56 hits that said it was a downloader. 

Anyone know how this evil process works and maybe a way to prevent it? I did some reading on CyrptoPrevent and was wondering if that would stop it on a server? (Server 2003)

Yes they are getting a new server soon!

 

I haven't heard of CryptoWall 3.0 changing file extensions, especially not to 3 random numbers.  Sounds more like you were infected with a variant of TeslaCrypt 2.0, rather the numbered extension is odd.  What was the file extension that you observed being appended to affected files?  What did the ransom note say?

 

Most ransomware variants that are active in-the-wild today solely leave a payload file (executable) on the initially infected host.  From that host, any network/file shares, mapped drives, DropBox mappings, removable devices, etc. that the initially infected device can access can be enumerated by the malware.  So in short: if the infected host could access a file share (an open share [or with cached credentials] that the host device has write permissions to) then the malware can access it as well.

 

You should focus on deploying HIPS / CryptoPrevent-like tools on end-user devices prior to infrastructure devices / servers.  Generally, Windows Server devices aren't being utilized to browse the web (or they really shouldn't be) nor should they be used by an end-user to access their e-mail...


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#3 QQQQ

QQQQ
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 17 September 2015 - 01:55 PM

Saw this which says Cryptowall 3:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)


What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.


How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.


What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.


For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.http://ayh2m57ruxjtwyd5.blindpayallfor.com/
2.http://ayh2m57ruxjtwyd5.stopmigrationss.com/
3.http://ayh2m57ruxjtwyd5.starswarsspecs.com/
4.http://ayh2m57ruxjtwyd5.malerstoniska.com/

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: ayh2m57ruxjtwyd5.onion
4.Follow the instructions on the site.


IMPORTANT INFORMATION:
Your personal page: http://ayh2m57ruxjtwyd5.blindpayallfor.com/
Your personal page (using TOR): ayh2m57ruxjtwyd5.onion/

 

Thanks Mike! No one browses the web on the server except me. But we do use Zscaler at that site and I have not seen any malware get past it, not from browsing the web anyway. Kaspersky did quarantine security295.exe and it is still in quarantine on the pc that started all of this.


Edited by QQQQ, 17 September 2015 - 02:24 PM.


#4 QQQQ

QQQQ
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 17 September 2015 - 02:24 PM

I deleted the tail end of the links just in case.



#5 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:11:57 PM

Posted 17 September 2015 - 03:29 PM

Saw this which says Cryptowall 3:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)


What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.


How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.


What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.


For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.http://ayh2m57ruxjtwyd5.blindpayallfor.com/
2.http://ayh2m57ruxjtwyd5.stopmigrationss.com/
3.http://ayh2m57ruxjtwyd5.starswarsspecs.com/
4.http://ayh2m57ruxjtwyd5.malerstoniska.com/

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: ayh2m57ruxjtwyd5.onion
4.Follow the instructions on the site.


IMPORTANT INFORMATION:
Your personal page: http://ayh2m57ruxjtwyd5.blindpayallfor.com/
Your personal page (using TOR): ayh2m57ruxjtwyd5.onion/

 

Thanks Mike! No one browses the web on the server except me. But we do use Zscaler at that site and I have not seen any malware get past it, not from browsing the web anyway. Kaspersky did quarantine security295.exe and it is still in quarantine on the pc that started all of this.

 

What is the name of the ransom note file?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:57 PM

Posted 17 September 2015 - 04:22 PM

You may be dealing with a newer variant of TeslaCrypt/Alpha Crypt.

Any files that are encrypted with TeslaCrypt will have the .ecc extension appended to the end of the filename.
Any files that are encrypted with Alpha Crypt (TeslaCrypt renamed) will have the .ezz extension appended to the end of the filename.
Any files that are encrypted with the newer unnamed variant of TeslaCrypt will have the .exx, .xyz, .zzz, .aaa or .abc extension appended to the end of the filename. The .aaa/.abc variant drops files (ransom notes) with names like Recovery_File_*****.html, Recovery_File_*****.txt, restore_files_*****.html, restore_files_*****.txt files, (where ***** are random characters) and pretends to be CryptoWall 3.0.

A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

There are ongoing discussions in these topic:The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 QQQQ

QQQQ
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 18 September 2015 - 09:08 AM

 

Saw this which says Cryptowall 3:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)


What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.


How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.


What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.


For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.http://ayh2m57ruxjtwyd5.blindpayallfor.com/
2.http://ayh2m57ruxjtwyd5.stopmigrationss.com/
3.http://ayh2m57ruxjtwyd5.starswarsspecs.com/
4.http://ayh2m57ruxjtwyd5.malerstoniska.com/

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: ayh2m57ruxjtwyd5.onion
4.Follow the instructions on the site.


IMPORTANT INFORMATION:
Your personal page: http://ayh2m57ruxjtwyd5.blindpayallfor.com/
Your personal page (using TOR): ayh2m57ruxjtwyd5.onion/

 

Thanks Mike! No one browses the web on the server except me. But we do use Zscaler at that site and I have not seen any malware get past it, not from browsing the web anyway. Kaspersky did quarantine security295.exe and it is still in quarantine on the pc that started all of this.

 

What is the name of the ransom note file?

 

HELP_DECRYPT.HTML: HELP_DECTYPT.PNG and HELP_DECRYPT.TXT



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:57 PM

Posted 18 September 2015 - 03:04 PM


- CryptoWall 3.0 leaves files (ransom notes) named:
HELP_DECRYPT.TXT
HELP_DECRYPT.HTML
HELP_DECRYPT.URL
HELP_DECRYPT.PNG

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

There are also ongoing discussions in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users