Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan-ransom problem


  • Please log in to reply
6 replies to this topic

#1 HDFighter

HDFighter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 06 December 2015 - 08:06 AM

Hello Bleepingcomputer forum! I have a serious problem with a trojan that has infefted one of my teacher's computer. First, he told me that he couldn't access his entire work, saved as various doc, docx and xls files. When I arrived at college, I witnessed the problem. The desktop was changed in a BSOD manner, with a white text claiming that he was attacked by a "virus encoder". The attacker also claimed all data, the files created using the Office Suite, are all encrypted and if he ever wants to get them back he has to send a sum of money in exchange for the password. The same message would appear in an automated script that opens a powerpoint document.

I booted the PC in safe-mode with networking, downloaded one of the anti-malware I trust, Malwarebytes, fully scaned the PC and removed the files responsible for the infection. However the data is still encrypted. I learned that Kasperski, the internet security giant, developed a special bruteforce decryption tool called RakhniDecryptor, tool used to bruteforce decrypt the corrupted data. On my i7 processor, in a couple of more hours I think I'll be able to decrypt a part of the data. However I'm afraid if the decryptor will now work to crack the password, what do I do?

All encrypted data are represented with a cmd like icon, and they have a the original name of the file plus a very weird and long suffix formed by a series of numbers and an email address, probably the hacker's email. I learned however that this email is randomly generated, as well as the sequence of numbers.

As a note, my cleaning in safe mode worked. The virus ceased to encrypt freshly created documents, and the powerpoint script dissapeared as well.

But I need help, what can I do if the decryptor fails to crack the password?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 AM

Posted 06 December 2015 - 08:51 AM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .CTBL, .CTB2, .crinf, .XTBL, .encrypted, .crypt, .EnCiPhErEd, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt, DECRYPT_INSTRUCTION.TXT
HOW_TO_DECRYPT_FILES.txt, How_To_Recover_Files.txt, encryptor_raas_readme_liesmich.txt
About_Files.txt, DecryptAllFiles_<user name>.txt, ReadDecryptFilesHere.txt, RECOVERY_FILES.txt
HOWTO_RESTORE_FILES_*****.txt, DecryptAllFiles_*******.txt (where * are 6-7 random characters)
RECOVERY_FILE_*****.txt, restore_files_*****.txt (where * are random characters)
howto_recover_file_*****.txt, _how_recover_*****.txt (where * are random characters)
how_recover+jav.txt, recover_file_*****.txt, (where * are random characters)
Once you have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 HDFighter

HDFighter
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 06 December 2015 - 12:45 PM

Quietman7,

Thank you for replying. I am not curently at my teacher's PC but I have some of the data to be decrypted. The files look like this: (originalfilename).id-**********_av666@weekendwarrior55.com, where the asterisks represent a number made from 10 random numbers.

#4 HDFighter

HDFighter
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 06 December 2015 - 04:13 PM

UPDATE: Unfortunately the Kasperski Rakhni Tool has returned no result. I'm a little bit scared considering the fact that the attacker said something about a deadline of 72 hours. I hope the data isn't lost forever... I'll take a look for a ransom text document tommorrow, at college.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 AM

Posted 06 December 2015 - 05:07 PM

The av666@weekendwarrior55.com variant has already been reported to our Security Colleagues who specialize in crypto malware ransomware...see this topic.

It is believed that this infection is part of a ransomware kit that different affiliates utilize with their own payment email addresses which explains all the "@" ransomwares which have been reported.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 HDFighter

HDFighter
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 07 December 2015 - 02:11 PM

quietman7,

 

Thank you for your reply. My only question is this: After I submit a sample or more of the corrupted data, what is there to be done after? Thanks in advance for your efforts, BC Team.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:14 AM

Posted 07 December 2015 - 05:54 PM


Our crypto malware experts and Security Colleagues investigate/analyze the samples. If there is something they can work with in regards to decryption, they generally respond to these topics. If not, then that generally means there isn't anything they can do at this time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users