Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uniquekey@dr.com Ransomware Support Topic. Adds .crypt extension to files.


  • Please log in to reply
53 replies to this topic

#1 hasgalf

hasgalf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 25 November 2015 - 11:03 AM

Hello Bleepingcomputer community:
 
I have a client that has been infected with a new variant of Crypto Ransomware.  We have searched general posts online and have yet to see anyone with a similar version.  Unlike previous versions, it adds a .crypt extension to the files that it encrypts.  Help_Decrypt files are added to Documents, Pictures, etc like older versions.  I will attempt to add a link to the banner showing how to retrieve files.  Any help on this new variant would be greatly appreciated!
https://onedrive.live.com/redir?resid=9DAFE0B54718D0E8!72486&authkey=!AOGPnquJ9hjrs0o&v=3&ithint=photo%2cJPG
 
Jason

Edited by quietman7, 25 November 2015 - 05:06 PM.
Moved from AII to 'General Security'


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:49 PM

Posted 25 November 2015 - 05:04 PM


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic:

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 hasgalf

hasgalf
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 25 November 2015 - 05:33 PM

As requested I have submitted an encrypted file example to the above link.  Any additional information would be helpful!

 

Thanks again,

 

Jason



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:49 PM

Posted 25 November 2015 - 06:22 PM

Not a problem. Grinler, the site owner of BC is already looking into it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 screwloose

screwloose

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 06 December 2015 - 03:35 AM

Was their any updates on this?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:49 PM

Posted 06 December 2015 - 08:14 AM

Unfortunately nothing yet.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:49 PM

Posted 06 December 2015 - 09:12 PM


Kaspersky Lab has a utility called ScatterDecryptor utilityr that restores files only if the utility contains a certain Trojan-Ransom.BAT.Scatter modification's secret key. As of now, the utility contains keys for the files with the following extensions: .crypt, .pzdc, .good.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 screwloose

screwloose

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 December 2015 - 06:15 AM

I have the the tools from the hacker if that helps. 



#9 4ward

4ward

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 14 December 2015 - 08:21 AM

Anyone got an update - Our customer has just got hit with this and we are looking for a solution.  thanks



#10 4ward

4ward

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 14 December 2015 - 08:59 PM

Anyone know of a decryption service or anyone that can help be get my files back?  We got a ransom of $5k and I would rather pay some one else to fix this problem. 



#11 4ward

4ward

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 15 December 2015 - 08:05 AM

REWARD - we got hit with a virus that encrypted our files to .crypt

 

ScatterDecryptor utility  does not work

 

I tried to start a new thred, but it got closed -  http://www.bleepingcomputer.com/forums/t/599405/reward-we-got-hit-with-a-virus-that-encrypted-our-files-to-crypt/#entry3886525


Edited by 4ward, 15 December 2015 - 10:42 AM.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:49 PM

Posted 16 December 2015 - 06:47 PM

We have a customer that was hit with this as well. It is a bit misleading as to what it is. The filename "HELP_DECRYPT.txt" suggests CryptoWall 3.0, but the ".crypt" extension mirrors that of Scatter. It also seems like a cheap knock-off version. Our customer's was asking for only $100 ransom, but we still advised against it.

 

I've tried the Kaspersky tool and a few other ransomware crackers for fun, no luck. I don't know how to assess it further I'm afraid.

 

The ransom note reads:

 

 

Attention!

 
All your main files were encrypted!
 
Personal documents , photos and videos were encrypted . Files such as: jpeg , doc , docx , avi , excel , and others will be unreadable . 
 
Encryption was made using a unique public key RSA-2048 generated for this computer.
TO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY.  PRICE IS $100
This Software with Key will allow You decrypt Your files and PROTECT YOUR SYSTEM FROM ANY VULNERABILITY! 
Remember the main reasons that may cause deleting your private key FOREVER:  
 
- You have only 72 hour to get your private key. Do not waste your time. After 72 hour period Your key will be deleted 
 
- Any attemps to remove this encryption will be unsuccessful.  You cannot do this without your key!!! 
 
- Do not send any emails with threats and rudeness to us. Example of Email format is "Hello! I want to decrypt my files. My ID number is ...... 
I have attached a file for a free decryption. Waiting for my next instruction"
 
Please contact us by email, along with an identification number, which is shown in the picture and is specified in the file "HELP_DECRYPT.txt". 
 
We can remove encryption from a single file for FREE. Just send it us and then You will receive a decrypted file. It will be your guarantee! 
 
Contact Information :
decrypt@dr.com
ID: 2eb19e48
 
I did a Google image search of the JPG version, and it found no matches, making me think this is rather new.
 
I have sample encrypted files if that helps the cause. We are looking for any droppers or suspicious files on the computer currently.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 4ward

4ward

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 16 December 2015 - 06:57 PM

We found a dropper and JdLcCGWa.exe file with malwarebytes.  I have a copy of an encrypted file if someone can break it.



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:49 AM

Posted 17 December 2015 - 04:35 AM

We found a dropper and JdLcCGWa.exe file with malwarebytes.  I have a copy of an encrypted file if someone can break it.

If you can restore the malicious files and upload them here, it would be most useful for us who want to look at this infection and see if it is breakable.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 4ward

4ward

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 17 December 2015 - 06:47 AM

Scared to touch the file.  It is locked in the shadow copy.  I dont want to be effected again.  Any Idea?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users