Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bit Locker Ransomware Support & Help Topic


  • Please log in to reply
19 replies to this topic

#1 Strop1957

Strop1957

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 19 October 2015 - 12:10 AM

Hi,
 
I have been hit by what appears to be a new type of ransomware.
 
It has removed all data files from C: drive and turned Bit Locker on my external harddrive (when I try to access it I am asked for a bitlocker password).
 
It has no ransom splash screen just a readme file contents below.
 
Hello there.


I would like to tell you first I'm sorry about that. Your documents, files, databased most are in original places or some moved to your local data. If you want to regain access to your local disk, all your files, documents, etc please send 1 BTC (Bitcoin) to this address: 18jAZHhC8uy13n2Ym7YTTmTBfr9r8tivDM as fast as you can and email me at sociopatii@yahoo.com If you dont know what bitcoin is, please ask me for bitcoin website that you can buy it fast or search on google for a local Bitcoin shop or ATM and transfer 1 BTC to this address: 18jAZHhC8uy13n2Ym7YTTmTBfr9r8tivDM

It's not my fault if you are try to format disk and lose all. Here are only one way to get all back and regain access to your local hard disk drive and this way is to send 1 Bitcoin to this address: 18jAZHhC8uy13n2Ym7YTTmTBfr9r8tivDM

It's just business not trying to get your money and then to not give to you the bitlocker password. Waiting for your reply to my email address ( sociopatii@yahoo.com ) if you wanna get the bitlocker password. Thanks

 
I have not found anyway to gain access to my external harddrive.
 
John

Edited by quietman7, 13 July 2016 - 02:42 PM.
Moved to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


m

#2 techiemoore

techiemoore

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 21 October 2015 - 04:18 PM

This just happened to me too.

I would REALLY like to know how to prevent this from happening again.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 AM

Posted 24 October 2015 - 08:24 AM

Are there any file extensions appended to your files?

Did the readme file have a name?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 AM

Posted 24 October 2015 - 08:27 AM

This just happened to me too.
I would REALLY like to know how to prevent this from happening again.

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach...make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, disable VSSAdmin.exe, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage and routinely backup your data.

You should also rely on behavior detection programs like McAfee Real Protect rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

...Prevention before the fact is the only guaranteed peace of mind on this one.

How do I decrypt files encrypted by ransomware?

Finally back up, back up, back up. Backing up data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:10:44 AM

Posted 24 October 2015 - 05:16 PM

I was reading some papers on this the other day.  Most of these people really are not interested in your data at all. They do not try to break your encrypton, only gain control of the right to change your encryption key to some thing they know and you do not.  O r encrypt unencrypted data to something they know.

 

Breaking data encryption is very difficult and expensive, they are out to make the easy quick money. Main frames or supercomputers would be required.  Not that the bad guys do not have access to mainframes and even supercomputers.

One of the side benefits of a bot-net is you basically create a supercomputer if your bot net is big enough.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#6 cmorin543

cmorin543

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 PM

Posted 27 October 2015 - 02:26 AM

Hello,

 

I just found this same issue with one of my computers.  I have a file/print server at home with remote access.  I logged onto it today to find one of the partitions of an external drive Locked with BitLocker and a TXT document on the desktop containing the following - Hello there. 

 
 
I would like to tell you first I'm sorry about that. Your documents, files, databased most are in original places or some moved to your local data. If you want to regain access to your local disk, all your files, documents, etc please send 1 BTC (Bitcoin) to this address: 1PFkYtDbxQRTv8Xse77u7wYG5bht8QB6e2 as fast as you can and email me at cage1@gmx.us If you dont know what bitcoin is, please ask me for bitcoin website that you can buy it fast or search on google for a local Bitcoin shop or ATM and transfer 1 BTC to this address: 1PFkYtDbxQRTv8Xse77u7wYG5bht8QB6e2 
 
It's not my fault if you are try to format disk and lose all. Here are only one way to get all back and regain access to your local hard disk drive and this way is to send 1 Bitcoin to this address: 1PFkYtDbxQRTv8Xse77u7wYG5bht8QB6e2 
 
It's just business not trying to get your money and then to not give to you the bitlocker password. Waiting for your reply to my email address ( cage1@gmx.us ) if you wanna get the bitlocker password. Thanks for your time!
"


#7 CodeSmasha

CodeSmasha

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 27 October 2015 - 05:53 PM

The same message only this time with a different email.



#8 balcobulls

balcobulls

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 27 October 2015 - 06:37 PM

Now I am guessing that if you are talking about bit locker you are looking at total disc encryption.  I do not know if this will help at all, but just in case, if this kind individual who encrypted your drive moved files from other areas that you can get to, when these files are being encrypted the files are "deleted" and then encrypted/copied to the encrypted disc.  Now if the pointer was just removed when it was "deleted."  Try to recover them using partition recovery and deleted file recovery applications.

 

If you get bored try finding a .onion email address with the same name, then follow some message boards and see if you can find a sociopatii or cage1.  Occasionally if you put effort into finding the dude directly they will be kind and they rewind.

 

Sorry about your losses....backups backups backups. 

 

If you think about hacking back and you need some advice I will absolutely not condone the act, however, for "educational" purposes I will share what I know.



#9 cmorin543

cmorin543

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 PM

Posted 29 October 2015 - 02:25 AM

It appears the person accessed my computer via RDP and just Bitlocked an external drive I had connected to the computer just for data storage.  Unfortunately, this was my "backup" drive.  I tried looking around for these user names (sociopatti and cage1) with no luck.  As I type, a disk image is being created of the drive - once again, unfortunately, it is a 2 TB drive, so this may take some time.  I found some software that uses that disk image and can perform a brute force style procedure to eventually (hopefully) regain access to my data....  a big hopefully...  

 

As for your offer, though I would love to avenge the potential loss of my data, I am more of a break/fix type of tech guy and have never ventured into the realm of hacking for "educational" purposes ;-)


Edited by cmorin543, 29 October 2015 - 02:26 AM.


#10 CodeSmasha

CodeSmasha

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 29 October 2015 - 05:16 AM

Was RDP enabled when this happened? Also I heard some people getting infected by it using HMA VPN.


Edited by CodeSmasha, 29 October 2015 - 05:18 AM.


#11 Razvan00

Razvan00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 30 October 2015 - 01:54 PM

Hello, I just got all my files encrypted with ransom. I heard if I post an encrypted file here you can test it and search keys for it.

I really need the files and I will really appreciate the help.



#12 RolandJS

RolandJS

  • Members
  • 4,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:44 AM

Posted 30 October 2015 - 02:06 PM

Check with Nathan, I'm wondering if Steller data recovery might be helpful here.  Steller software works with encrypted hard-drives.  What I do not know and what Nathan can clarify:  can Steller possibly help mae the recovery process a little easier?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (sevenforums)

Clone or Image often! Backup, backup, backup, backup... -- RockE (Windows Secrets Lounge)


#13 Razvan00

Razvan00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 30 October 2015 - 02:43 PM

I don't know if a program may help because the files are encrypted with the hakers code



#14 RolandJS

RolandJS

  • Members
  • 4,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:44 AM

Posted 30 October 2015 - 02:48 PM

I don't know if a program may help because the files are encrypted with the hakers code

I was hoping that if the hacker only tail-ended the code in each file that Steller could pull the real stuff out of the hacked files.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (sevenforums)

Clone or Image often! Backup, backup, backup, backup... -- RockE (Windows Secrets Lounge)


#15 Razvan00

Razvan00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 30 October 2015 - 02:56 PM

Thank you for the help but I really don't know what to do. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users