Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom ware - new unamed one - @moonlinet.com - @asteroidmail.com


  • Please log in to reply
12 replies to this topic

#1 dirkles

dirkles

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 01 December 2015 - 08:00 AM

Hello,

 

i am an german software engeneer. We had in November our Network infected by an Ransom ware wihich renamed and crypted all PDF, Office, Txt,

 

- Our It found the source with the malware and desinfected it.

- The malware crypted all files are accesable for the infected machine.

- The Server harddrives are restored via backup.

 

Now are some important files on accessable directories crypted andnot accessable.

 

Some facts about the malware found out:

 

- pandaunransom.exe, RannohDecryptor.exe and some other dycrytors does not work.

- Every file is renamed in [FILENAME].id-2425880064_email1_key@asteroidmail.com_email2_key@moonlinet.com .

- I found out, that the ID is indvidial for the source malware i think. Some other posts in the inet has the some name but other id.

- Examining the files i found out,  that the malware only encryping the first 60 Bytes. The rest of file is at it was.

- Recovery tools like recuva did not find anything.

- The real byte size of file changes with a difference of three bytes.

 

some example filename:

versionhistory.xls.id-2425880064_email1_key@asteroidmail.com_email2_key@moonlinet.com

797903.txt.id-2425880064_email1_key@asteroidmail.com_email2_key@moonlinet.com

tccncerrors.xml.id-2425880064_email1_key@asteroidmail.com_email2_key@moonlinet.com

 

has someone expirences or some tip to get the files decrypted?

 

thanks and regards from germany

Dirk

 

Attached files: One File in crypted and original.

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 PM

Posted 01 December 2015 - 08:25 AM

It is believed that this infection is part of a ransomware kit that different affiliates utilize with their own payment email addresses which explains all the "@" ransomwares which have been reported.

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dirkles

dirkles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 01 December 2015 - 08:37 AM

The executable is not accessable any more. Our It was cleaning it. Malwarebyte was the only scanner found the malware. Located was it in some windows Temp dir i think.

regards

Dirk



#4 dirkles

dirkles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 02 December 2015 - 08:34 AM

Hello,

 

are there some new facts about the malware?

thanx

 

regards

Dirk



#5 bano007

bano007

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 03 December 2015 - 06:26 AM

Any news I also been a victom of av666@weekendwarrior.com ransomware?!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 PM

Posted 03 December 2015 - 06:58 AM

Not yet but let me add a note from one of my colleagues who helps with investigating these types of infections.
 

Without a dropper, it becomes really hard to look into all these different variants, much less figure out whether they are decryptable. Encrypted files are nice, but they are limited in what they can tell us.

Reporting them is important though.


These are common locations malicious executables related to ransomware infections may be found:
%Temp%
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
C:\<random>\<random>.exe
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 dirkles

dirkles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 03 December 2015 - 08:37 AM

Good afternoon.

 

I got the quarantine file of thee malware (Malware Bytes  found it). Can this help for investigating?

 

Also the Logfile is now availble:

<file><path>C:\Users\XXXX\AppData\Local\Temp\Low\9F14.tmp</path><vendor>Trojan.Agent</vendor><action>success</action><hash>0ad5037c43488caaf0206b3dbb46e61a</hash></file>

 

should i send you the file 7471320837.quar

 

regards

Dirk



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 PM

Posted 03 December 2015 - 08:45 AM

Samples can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 dirkles

dirkles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 07 December 2015 - 05:49 AM

Think is variant of this?

 

http://www.bleepingcomputer.com/forums/t/568295/new-crypto-ransomware-extensionid-number-fudindiacom/page-2

 

 

Any news?

 

Thanx

Dirk



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 PM

Posted 07 December 2015 - 06:39 AM

It is similar. As I said previously...it is believed that these infections are part of a ransomware kit that different affiliates utilize with their own payment email addresses which explains all the "@" ransomwares which have been reported.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 s3th

s3th

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 17 December 2015 - 02:05 PM

Hi,

 

Some PC from my workplace were hit by this kind of ransomware - Trojan-Ransom.Win32.Rakhni, wich I think I get rid of it but my office files and pdf's are now encrypted. I run the Rakhni Decryptor from Kaspersky twice 3-4 days each time and gived me nothing - Found: 0; Decrypted: 0.

 

What should I do to recover/decrypt  my files?

 

 

P.S.:  I couldn't  attach the encrypted file with the name and extension it was renamed by ransomware, not even in a rar archive. The Rakhni ransomware  it gived to this file the name:

 

programa pentru simularea din decembrie 2015 la BAC la geografie.pdf.id-4775085215_helpme@freespeechmail.org     <<< modified by Rakhni Ransomware

 

In the attachment you will find the original name +extension of the file, the same as was created by author but the file is ecrypted by  Rakhni.

 

Please help.

 



#12 s3th

s3th

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 22 December 2015 - 07:33 AM

Hello,

 

After 7 days of scans, trials and another scans finally found password and decrypted my file but I can't apply the same method to other pc's..... it will took another 7 days..... can be progress or password saved to a log or  config file to copy in the same directory with rakhnydecriptor on the other stations and run it in that way that will scan only after encrypted files and decrypt with passwd from file?

 

I expect more news for this topic about this ransomware.

 

 

Help needed!



#13 dirkles

dirkles
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 22 December 2015 - 07:37 AM

Hello,

 

how did you find the passwort? rakhnydecriptor did work? Was the file smaller than 30000 Byte cause the ransom ware encrypts only the first 30000. Thats why the normal tools don't get sucessful.

 

regards,

dirk






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users