Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Identifying this version of Cryptowhatever


  • This topic is locked This topic is locked
3 replies to this topic

#1 Cinara

Cinara

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 23 October 2015 - 02:06 PM

So a client got a crypto variant on a computer that was not being backed up. Right now I am having issues identifying the version they got. It came in a email claiming to be an invoice and was a .zip file. They have DECRYPT_INSTRUCTIONS.html which is a very plain html page with a onion.nu link and a alternate TOR link plus instructions. It wants 2 BTC for payment. None of the file have their extensions changed from what I can see. What is the best way to identify this version to see if there's a solution besides payment(unlikely I know)

 

EDIT: There is a xyz.ps1 file that seems to be the source of the encryption.


Edited by Cinara, 23 October 2015 - 02:42 PM.


BC AdBot (Login to Remove)

 


#2 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:08:21 AM

Posted 23 October 2015 - 05:21 PM



So a client got a crypto variant on a computer that was not being backed up. Right now I am having issues identifying the version they got. It came in a email claiming to be an invoice and was a .zip file. They have DECRYPT_INSTRUCTIONS.html which is a very plain html page with a onion.nu link and a alternate TOR link plus instructions. It wants 2 BTC for payment. None of the file have their extensions changed from what I can see. What is the best way to identify this version to see if there's a solution besides payment(unlikely I know)

 

EDIT: There is a xyz.ps1 file that seems to be the source of the encryption.

 

DECRYPT_INSTRUCTION (singular) or DECRYPT_INSTRUCTIONS (plural)?

 

I ask because "DECRYPT_INSTRUCTION" is a known ransom note file name utilized by an older version of the CryptoWall family of ransomware, CryptoWall 2.0.  While I want to state that that is the variant that your client was hit with, that single-letter difference in the ransom note file name (if it's DECRYPT_INSTRUCTIONS) may be indicative of an entirely different ransomware (not saying that ransom note naming conventions are unique to each variant, though).

 

Could you place the .ps1 file in a ZIP or RAR archive, password-protect the archive with the password "infected", and upload it to Mega, then send me a private message with the download URL?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#3 Cinara

Cinara
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 24 October 2015 - 01:21 AM

The files are DECRYPT_INSTRUCTION.html, no S. I have also sent you a PM with the link to the requested .ps1 file. Thanks for your help!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:21 AM

Posted 24 October 2015 - 05:53 AM

As noted by White Hat Mike above...CryptoWall leaves files (ransom notes) named:
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.URL

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

There are also ongoing discussions in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in one of those topic discussions after exchanging PMs. White Hat Mike is subscribed to them and can assist you further from there if necessary.

To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users