Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brainless Rookie - Ransomware? What Ransomware?


  • Please log in to reply
36 replies to this topic

#1 Xdivermkv

Xdivermkv

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 20 September 2015 - 08:23 AM

Hi All

 

New to these parts and even navigating the forum is daunting! Many of my document and picture files appear to have been changed along lines which are obvious from this example - CIMG1143.JPG.id-9737394708_help2015@mail. System calls it a BG file. Obviously this prevents me from opening them. I haven't seen any "ransom note" although McAfee has had to clean a few things out lately. I restored my XP system and it seems to work ok with McAfee coming up clean on each sweep. But I still can't open my files. Any ideas? Any help very gratefully received.


Edited by hamluis, 21 September 2015 - 07:56 AM.
Moved from AII to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:20 PM

Posted 21 September 2015 - 01:39 PM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, About_Files, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_<user name>.txt, DecryptAllFiles_******.txt file (where * is 6-7 random characters)
RECOVERY_FILES.html, RECOVERY_FILES.txt, Recovery_File_*****.html, Recovery_File_*****.txt
restore_files_*****.html, restore_files_*****.txt (where ***** are random characters)

Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.

Another option is to download and run IDTool created by Nathan Scott (DecrypterFixer), a BleepingComuter Security Colleague. IDTool is a small utility that scans certain files, folders, registry keys and signatures of a system for evidence (known flags) of various crypto malware which helps identify what kind of ransomware infection you are dealing with. The tool will provide a list or text generated report of what was found and then provide the correct support links where you can receive assistance with that specific ransomware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 23 September 2015 - 03:31 PM

Hi - Nope. Nothing like that at all. Only problematic file axtentions are as described in my original post. No strange images or URLs. Very frustrating. Thank you so much for considering this.


Edited by Xdivermkv, 23 September 2015 - 03:40 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:20 PM

Posted 23 September 2015 - 03:38 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 PM

Posted 23 September 2015 - 03:53 PM

Hi All

 

New to these parts and even navigating the forum is daunting! Many of my document and picture files appear to have been changed along lines which are obvious from this example - CIMG1143.JPG.id-9737394708_help2015@mail. System calls it a BG file. Obviously this prevents me from opening them. I haven't seen any "ransom note" although McAfee has had to clean a few things out lately. I restored my XP system and it seems to work ok with McAfee coming up clean on each sweep. But I still can't open my files. Any ideas? Any help very gratefully received.

 

That filename you gave starts with CIMG1143.JPG. Have you tried changing the extension to JPG and then view the picture?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:20 PM

Posted 24 September 2015 - 01:47 PM

Hi - Nope. Nothing like that at all. Only problematic file axtentions are as described in my original post. No strange images or URLs. Very frustrating. Thank you so much for considering this.

 

Can you find the malware dropper?  The executable file that delivers the malware.  It is commonly found within the following directories:

 

%Temp%

%LocalAppData%

%AppData%\Roaming

%ProgramData%


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#7 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 24 September 2015 - 05:41 PM

Hi Guys

 

Yeah, changing the file type was the first thing I tried. No luck. I don't know what this BG file thing is. under filetype. But it's no longer a jpeg. Or accessible as such. Can't find a malware dropper obvious. Is this a possible registry fault or do you think it's definitely an infection of some sort. No one in my IT dept at work has ever seen this happen.

 

Thanks again to all who reply.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 PM

Posted 25 September 2015 - 03:54 AM

I don't think it's a registry problem.

It would be useful to see the content of the files.
Start notepad, and drag and drop one of the "jpeg" files into notepad.
See if you find any readable text.
If you want you can post a screenshot of your notepad window, but make sure that the start of the file is displayed.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 26 September 2015 - 03:54 AM

Hi All - Sadly the editor won't let me insert a screenprint for some reason. But the start of a jpeg's code in Notepad looks like this (although how you can decipher this is beyond me!) Once again, thanks - you guys are legends for taking the time to look at it:

0u B1Ç Ó6b¼"Z¥¶gJgÈT¤z;ÔC
®I-yd
jQ\~ýÚM&FØ×îîÜZtÚ281k`zbhä´KÊöÔÊE5V»cÀWL³D£µ[3h»¦%µý(OÙE%q8µY2ënª
3M¨+ÈS;}+V¯K²$
ðlt¹ï&%"2å-I¨á:Ó[<@Ç·ý.^Õ¬Ê^Âצmd"%ìVå{!&pw{ õòü¼¡½ë£ûÂùí¶³Õîx½ý)?ðÛ0«);§QâS[ 0mY´ÿIsøms
®Ü²Aù²³a4VYÇ
£"­åVOÈw´64ËäêIO£Aª§á<@"¶0ǾÜNyýøBKq¼4VïqÏàKÖ1ߎýº¶
É48jB{8jKõÑ¥b11ÚÖ6|±f*¦ãµhܳm§7J±J Ñ«MæáÉH`Xrígn~л=5·Q. ß£LÉ
ããèá1¡À óö"§üu2[}æ×l»U¾m»oþ¾) ÿ!ûR´F&:èî~i8aG r 3}ÙJÈõô7DÈ%~{óô£ymýR{>L¿DEp_Áii¤J{u«¸ëÏ# 7ß.EÏCrヲÇT ,åþ QŽæ2wswVv
Iíã{:àÚrÝXhe
ÁùþfKOSt]ãßSåp±½k0«pUóaGÿ °{(dE@ Wíù+±z'÷l9§¼zæü^ÇÇwÖÁK|¯¸,pŽD>Ùnñä7&M ¶0,lØ+éï) ¡WžÞ³¬(v¸Y6#bÈS6~þÞ'f¥EtÁB ÆÄT¯Î.SsÃåûT "yL:±áºJI¾þ.Qïö"ühßÍBl,ØUx]î9ñP®ø/MŽk¾iðü
t ¼Äº,¸gã(Mõuk²¡ã+4«§îxÚ7l19Õ«3+Z°)-?αH²Â:b(lÏÞ¾Ê/°zBØã\¾Q÷`Á× áiŽ¦»ØS!´ô´ÌAи
.èñXÇ>nÕžÞé¿¿á,Á¯úÐ0­Tçå»="IÀ: ìe¨[êªc¹½rpB?-(Ö@%{r Eº'äßô×·®îLÁI7½O¹Îܹ¢Í,Ib:3Ť)uk´{Î[h×õwHLú( 'íSȪÊQá¡Ý ÙºðyjíÇ Æà#|;¹oA&Ü]7Ñ;fec@±E7j.
ÄLkôÉuàsvlèØ~ëP¡Li¨¦sÊÊ«ôZ´³KñC_yû ~©þK4¯žg¡â±¿S7¤ù-BîüÕ](@ãsSªÀE¾ë\ÔcÞ¸7žŽ5À^Íe:¼Ó7Ñ­QÎ_þ|Y¹v¡ÕJ¥F1r]3®áÎ8R
«XtyÁQPn7Çð¾Õv'M¤ó3ÂÙ}ÖÈë[¢¥Ã¥»òMáV~ÉûQd?Ä.ªµ*ê£` »rö^<X{µé,<X£òG<ß¡«"¼÷1ìðKÛ÷ÚûN+.¤8j;)\Q:ï`Ï{ùý qó\µ*`ò©_7¦¬ümh;páùGžSâ SBŽäSXÇ(_°§TKÀÿ¹×7 Í
y¾A²ð3mxÄË^)%úi¡­m
bZ«¤w1* ûUh3k¬¥ôlÖ Sa4MÒDAK+²¼v¨¸çC.½$mt!ø
?ž§òè2÷w½sÛ¦Þ5[´©Ô¸b7d}`BuÀ/ÎÔ
±ÞÇ ñV¡¦e
o× z,=SÞà©´çwÔÓ} sHO®wW¹j}óËíj£°=`ÏHÇkHmÜÈZm3L=i²Ä(^êFY6® þJ\>á4¬KÏéVýÉP¶&*)`lìø!Ë `zoè±÷Å×Ý×
]?JÑDÃ^¹{É¿LCßptX­°ºr ë"k
äÅ>£÷ݨ.Mæt nÐ.ð´~è3Uß\wö|ÿúË6 ³_/IÏQ®¤6Íxª`¹uüžÄ+z¹
ÚSì®´\ÿµ¶Ê#$cž!1JÊ«¡±2вXÚátÁÈ Nfd¸ÓÁßgûÆåÞ´P$lËÍ ÔÃæ«ËçmÀØö¿yoaç?êrïiþE!íÜôÑôgL:žhËla%×Vž[Wõ:å.;ÝðüõÀ ;ÐuÄYoæòÎØìž¡5 µ¨µZßzÌþº×²Ä%IV
!

Edited by Xdivermkv, 26 September 2015 - 03:55 AM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 PM

Posted 26 September 2015 - 04:15 AM

It's not a JPEG file. A JPEG file starts with: ÿØÿà JFIF

 

Second reason why I wanted you to check the content: to see if it contains a ransom message. But that's not the case.

 

If you have one of these "pictures" that is not private or confidential, would you agree uploading it to virustotal.com and report the link of the analysis back here?

Then I can have a look.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 26 September 2015 - 03:20 PM

The worry is that they USED to be JPEG files. These are not confidential files - Just family photos. I'd be happy to upload one. I'll get back when it's done. Thanks!



#12 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 26 September 2015 - 04:13 PM

https://www.virustotal.com/en-gb/file/0afbc558055edbddedbe3899934a7110f50a762e881110aa1c43360a0be1f7f0/analysis/1443301897/

 

Comes up clean!



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 PM

Posted 27 September 2015 - 10:27 AM

Good news for you. I was able to recover a picture from the file you uploaded to VirusTotal. A man holding 2 dogs.

 

I would like you to check this picture, to see if it's one of your missing pictures. Is it OK for you if I post the picture (I'll black out the face of the man)?


Edited by Didier Stevens, 27 September 2015 - 10:33 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 27 September 2015 - 11:23 AM

Hi Didier

 

That is fantastic news and one in the eye for the vandals. Where is the recovered pic? I don't know how to access it on here? I don't know exactly what pic I sent, but it sounds familiar. Thanks, man.



#15 Xdivermkv

Xdivermkv
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 27 September 2015 - 11:24 AM

Oh - & if it is recovered, tell me how to do it and you can use the picture as you will. My wife will be really happy.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users