Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Crypto malware with a twist

  • Please log in to reply
2 replies to this topic

#1 Justintd


  • Members
  • 1 posts
  • Local time:11:35 AM

Posted 18 November 2015 - 07:41 AM

I work for a relatively large IT consulting firm in Connecticut. Recently we have seen a rash of malware which is somehow injecting himself on other computers. The affected machines have a user profile that is created at the same date and time and injected with multiple forms of malware including the crypto virus is as well as several keyloggers. The profile which is created is the same as the initial infection. So if user Bob got infected, his profile would suddenly show up on all the other machines at the same Date and timestamp. Any thoughts on what this might be? I have done some research and not found much

Edited by Orange Blossom, 20 November 2015 - 01:45 AM.
Moved to more appropriate forum. ~ OB

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,773 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:35 PM

Posted 20 November 2015 - 08:15 PM

:welcome: to Bleeping Computer.

There are an increasing number of crypto ransomware variants being released these days. Just look at our forums and the list here which I seem to be updating daily.

There have been reports that some victims have encountered crypto malware following a previous infection from one of several botnets (such as Zbot frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites...see US-CERT Alert (TA13-309A). US-CERT also advises that some ransomware variants have the ability to find and encrypt files located within shared (or mapped) network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.

It appears this is may be what you are encountering and the primary malware infection is most likely creating this new user profile.

Have you been able to identify the ransomware itself? Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .CTBL, .CTB2, .crinf, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, About_Files.txt, encryptor_raas_readme_liesmich.txt
About_Files.txt, DecryptAllFiles_<user name>.txt, ReadDecryptFilesHere.txt
RECOVERY_FILES.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
Recovery_File_*****.txt, restore_files_*****.txt (where * are random characters)
recover_file_*****.txt, HOWTO_RESTORE_FILES_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • Gender:Male
  • Local time:06:35 PM

Posted 21 November 2015 - 07:35 AM

Did you submit the sample to ViusTotal?

Didier Stevens

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019


If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.


Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users