Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

av666@weekendwarrior55.com Ransomware Support Topic


  • Please log in to reply
157 replies to this topic

#1 mateiacd

mateiacd

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 01 December 2015 - 02:40 PM

Hello,

1) Today December 1, 2015 I'm afraid that I've got a virus from a romanian news web site

Hundreds of PDF files, CSV, XLS, JPG, RTF, DOC from my Windows 7 computer have been renamed as follows and I think they are encrypted

Test.doc.id-1026927078_av666@weekendwarrior55.com
Placinta.JPG.id-1026927078_av666@weekendwarrior55.com
Test Removals.xls.id-1026927078_av666@weekendwarrior55.com
MS1.pdf.id-1026927078_av666@weekendwarrior55.com
All my files now begin with 
A0 86 01 00..... hexa or
1A 03 01 00 or
D9 06 00 00
79 05 00 00
 
2) I have also noticed I had a modified entry in

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\99DB.tmp

which I have removed .
 
Could you indicate how to send you some sample files ?
 
Thank you very much!

Edited by quietman7, 08 December 2015 - 04:04 PM.
Moved from 'Virus etc. logs' to 'General security'


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 03 December 2015 - 04:00 PM

It is believed that this infection is part of a ransomware kit that different affiliates utilize with their own payment email addresses which explains all the "@" ransomwares which have been reported.

id-0668630339-bingo@opensourcemail.org
id-2388951881453869_paycrypt@aol
I have got encrypted with _johnycryptor@aol.com
_obamausa7@aol.com Virus on my system
<extension>.<id-number>_Seven_Legion2@aol.com
New virus <extension>.id-<number>_doctor@freelinuxmail.org
id-1463440104_doctor@freelinuxmail.org files infection ramsomware
New ransomware _johndoe@weekendwarrior55.com
All my files are infected by info@crypted files
New crypto ransomware <extension>.id-<number>_info@cryptedfiles.biz
<extension>.id-<number>_cryptedfiles.biz
New ransomware variant: <filename>.<id-number>_sos@encryption.guru
<filename>.<id-number>_email2_key@moonlinet.com - <filename>.<id-number>_email1_key@asteroidmail.com
Got hit by CryptoLocker. Which variant?...<extension>.<id-number>_hairullah@inbox.lv


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

You can submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mateiacd

mateiacd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 04 December 2015 - 02:40 AM

All right, thank you, I have sent the encrypted files and the suspicious 99.tmp that is actually a disguised EXE



#4 nlegna

nlegna

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 08 December 2015 - 02:23 PM

I have this virus too and send you zip with encrypted files.



#5 calexp

calexp

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, Greece
  • Local time:08:40 PM

Posted 10 December 2015 - 04:37 PM

Hello,

New to this forum.

I've come across to this malware a few days ago in a corporate environment and got a copy of some encrypted and unencrypted files.

 

After a quick look i found that some are fully encrypted and others only a couple KBytes from the start of the file.

Also at the end of each encrypted file there is an overlay added with the info of the original (unencrypted) file size,

plus some other info (file sizes? with 12 bytes difference from the original).

 

I hope that someone will find this info helpfull.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:40 PM

Posted 10 December 2015 - 04:50 PM

Kaspersky Lab has a utility called RakhniDecryptor that is able to brute force the decryption key for some of these <filename>.<extension>.id-random number_"@"variants but not all of them. Instructions for using RakhniDecryptor can be found here.

Kaspersky Lab also has a RannohDecryptor utility for decrypting some other types of <filename>"@".<random characters> "@" variants with extensions appended to the end.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 calexp

calexp

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, Greece
  • Local time:08:40 PM

Posted 11 December 2015 - 07:24 AM

Just gave a try to RakhniDecryptor, but the process is slooooow.

I've calculated that for my pc it will take about 9.4 days, just to see if there is any hope.



#8 HDFighter

HDFighter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 11 December 2015 - 02:21 PM

Hello all!
 
There is an important note here - I tried the Rakhni Decryptor tool provided by Kasperski, and after approximately a day of continous work, it returned no result unfortunately... However, someone said that the process can return a positive key if runned on different items (.doc, .pdf, .xls, etc.), even if there was no password from the first try. I tried to decrypt a .DOC file.



#9 calexp

calexp

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, Greece
  • Local time:08:40 PM

Posted 11 December 2015 - 05:13 PM

Hello,

New to this forum.

I've come across to this malware a few days ago in a corporate environment and got a copy of some encrypted and unencrypted files.

 

After a quick look i found that some are fully encrypted and others only a couple KBytes from the start of the file.

Also at the end of each encrypted file there is an overlay added with the info of the original (unencrypted) file size,

plus some other info (file sizes? with 12 bytes difference from the original).

 

I hope that someone will find this info helpfull.

 

 

Just gave a try to RakhniDecryptor, but the process is slooooow.

I've calculated that for my pc it will take about 9.4 days, just to see if there is any hope.

 

New info on this one.

Got a copy of the infected EXE (disquised as .tmp) running at startup and tested it on a test PC at work.

Seems to encrypt only the first 100000 Bytes of the files, if a file is less than that it's encrypted all the way, otherwise from that point to the end of the file continues unencrypted. Also an overlay is added to the end with info about original filesize and some other stuff.

 

... Still waiting for Rakhni Decryptor to finish....



#10 mateiacd

mateiacd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 12 December 2015 - 07:24 AM

> Got a copy of the infected EXE (disquised as .tmp) running at startup and tested it on a test PC at work.

 

Cool ! :thumbup2: Then someone can reverse engineer the encrypting routine, which is useful I guess.


Edited by mateiacd, 12 December 2015 - 07:27 AM.


#11 calexp

calexp

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, Greece
  • Local time:08:40 PM

Posted 12 December 2015 - 10:38 AM

> Got a copy of the infected EXE (disquised as .tmp) running at startup and tested it on a test PC at work.

 

Cool ! :thumbup2: Then someone can reverse engineer the encrypting routine, which is useful I guess.

 

Yeah, maybe next month due to workload.. plus i have to "dust-off" my 23 years old of assembly language...

Since then we might have found a quicker solution. Also the company witch was infected has restored almost all files from a weekly backup i had scheduled on their server, so at least i'm not in a hurry...



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:40 PM

Posted 12 December 2015 - 12:26 PM

New info on this one.
Got a copy of the infected EXE (disquised as .tmp) running at startup and tested it on a test PC at work.
Seems to encrypt only the first 100000 Bytes of the files, if a file is less than that it's encrypted all the way, otherwise from that point to the end of the file continues unencrypted. Also an overlay is added to the end with info about original filesize and some other stuff.

It encrypted that test PC? Please upload that file here. I would like to have a look at it with my colleague.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 bano007

bano007

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 14 December 2015 - 06:48 AM

 

New info on this one.
Got a copy of the infected EXE (disquised as .tmp) running at startup and tested it on a test PC at work.
Seems to encrypt only the first 100000 Bytes of the files, if a file is less than that it's encrypted all the way, otherwise from that point to the end of the file continues unencrypted. Also an overlay is added to the end with info about original filesize and some other stuff.

It encrypted that test PC? Please upload that file here. I would like to have a look at it with my colleague.
 
xXToffeeXx~

 

Any news about this ransomware?! I ran rakhni decrypter also without any luck :) 



#14 janus5555

janus5555

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 14 December 2015 - 07:46 AM

Hi, my company was struck by that same virus about 10 days ago. We still haven't recovered our files, the backup itself was also hit due to bad storage conditions and at the moment, all our efforts with the rakhni decryptor are pointless. 

Does anyone have any solution to suggest? Is anyone close to fixing the whole decryption issue?

I would really appreciate any help whatsoever, our IT is unable to deal with this situation and the majority of our workload goes through the infected documents, we are currently frozen here..

Thanks in advance ;)



#15 calexp

calexp

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Athens, Greece
  • Local time:08:40 PM

Posted 14 December 2015 - 09:04 AM

 

New info on this one.
Got a copy of the infected EXE (disquised as .tmp) running at startup and tested it on a test PC at work.
Seems to encrypt only the first 100000 Bytes of the files, if a file is less than that it's encrypted all the way, otherwise from that point to the end of the file continues unencrypted. Also an overlay is added to the end with info about original filesize and some other stuff.

It encrypted that test PC? Please upload that file here. I would like to have a look at it with my colleague.
 
xXToffeeXx~

 

Offcourse it encrypted the test PC, that's why it's called "TEST" PC. Unfortunately another technician has reformated it to test another software so i lost the sample of the malware :(.

As far i'm concern, Rakhni Decryptor might not decrypt the files correctly since they are not completely encypted (only the first 100000 Bytes),

so we might need a different tool for this kind of malware.

I'll try to get another sample... if any remains...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users