Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Radamant Ransomware (.RRK, .RDM, .RAD) Support and Help Topic - YOUR_FILES.url


  • Please log in to reply
158 replies to this topic

#1 SVETLIN80

SVETLIN80

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 14 December 2015 - 11:28 AM

Hello ,I am from Bulgaria and working as system administrator. All documents files in one of my computers  are crypted and they are with extension RDM. Have you got idea is there a decryptor and which kind of cryptolocker is this . Thank you !

 

Link to the decrypter: http://www.bleepingcomputer.com/forums/t/599368/radamant-ransomware-rrk-rdm-rad-support-and-help-topic-your-filesurl/?p=3891102


Edited by xXToffeeXx, 23 March 2016 - 02:23 PM.
Added decrypter link~


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 PM

Posted 14 December 2015 - 03:58 PM


The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 SVETLIN80

SVETLIN80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 14 December 2015 - 05:52 PM

Hello I uploaded one encrypted file. Tommorow i can send suspected file and html file (linked to internet site) named YOURFILES.HTMLThank you Very Much!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 PM

Posted 14 December 2015 - 06:04 PM

Ok. This looks like something new so it may take some time to investigate.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 SVETLIN80

SVETLIN80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 15 December 2015 - 11:26 AM

Hello again ! Unfortenutley my collegue reinstsalled encrypted computer and i can't send suspected files. If you have any solution for decryption i will be thankfull.


Edited by SVETLIN80, 16 December 2015 - 07:49 AM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:17 PM

Posted 15 December 2015 - 01:31 PM

Without any of the files there is not much we can do unfortunately.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:17 PM

Posted 15 December 2015 - 03:37 PM

I edited the title of this topic so it will be easier to see in Google. If others get this infection a search will direct them here and hopefully we can get some samples.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 SVETLIN80

SVETLIN80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 16 December 2015 - 07:47 AM

Hi again , my colleague found suspected url opened on this computer -  easy-trading.biz. Kaspersky blocked this URL.

The computer is not yet reinstalled He will backup  all suspected files before reinstall and later i will attach it.


Edited by SVETLIN80, 16 December 2015 - 09:28 AM.


#9 SVETLIN80

SVETLIN80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 16 December 2015 - 08:41 AM

Hi , I uploaded 3 files. One of them maybe is the infector  :smash:.  Thank you again ! I suspect the api-roxy.exe. Its created on 11.12.2015 in windows\system32 at 11:45 AM Then this file go to the startup (maybe) . On the next morning at 08:00 when the computer power on again then  the desktop become black and all files are encrypted ( Its my suggestion)


Edited by SVETLIN80, 16 December 2015 - 09:27 AM.


#10 razpou

razpou

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 16 December 2015 - 10:21 AM

Hello.

I'm having a quiet big problem.

Yesterday all the files (.mp3 .docx .txt .pdf....) and folders of my desktop suddently changed and renamed to .RDM extensions.

So all my files have now this extension .RDM added.

I first tried to rename it and simply delete this .rdm at the end of the file. After that i can open again my files with their appropirate apllication but they are all unreadable.

For example i have a movie, let say "terminator.mkv".

Then it changed to "terminator.mkv.RDM" after the infection.

I delete the RDM at the end to make it simply "terminator.mkv" like it was before. But VLC or any other player cannot read it. It's the same with the mp3. Same with the .pdf (adobe cannot read it) with the .docx (office cannot read it) and all the extensions.

This happenned like in 20 secondes it changed all the extensions of hundreds and hudreds of files.
I tried regirstry cleaning, awd cleaner, malware bytes and i have avast antivirus always on.

I read a bit about somme CRYPTORBIT issues that look a bit similar. But i don't find anything on the net similar to my problem.

Does anyone have any idea how i could get back my files ???

I'm afraid all these files have been modified and impossible to read...

I post a picture of an infected folder among the other for example.

Sorry for my english...

Thanks for your time.

Attached Files


Edited by razpou, 16 December 2015 - 10:24 AM.


#11 SVETLIN80

SVETLIN80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 16 December 2015 - 10:53 AM

Hi , I have the same problem, You can follow this POST
for any eventual solution. This is a new cryptolocker and there is no solution for now. Can you chek is there a file api-roxy.exe in windows\system32 directory and if you can check in your msconfig is there a allowcoockies..something. If you want make a screenshot to your msconfig and post here or to private message. Thank you!
P.P maybe your desktop is black and you havefile yourfiles.html on the desktop ?

Edited by Queen-Evie, 16 December 2015 - 01:31 PM.
moved from Windows Crashes, BSOD, and Hangs Help and Support to General Security


#12 razpou

razpou

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 16 December 2015 - 01:21 PM

Hello. I made prinscreen and i can send sample of crypted file to anyone who may help.

I will send it to you cause i think it's too big to be posted here.
I didn't found any filles called "api-roxy.exe" in windows/system32. But i prntscreen all the fill with name "api" in it if it can help in any way.

I diddnt found anything such as "allowcoockies.."
And i didn't found anything on my desktop calle "yourfiles.html".

 

Is it possible to get such a virus by accepting cookies from a website ? Cause i think i clicked on "accep cookies" on a website that i was not so sure about yesterday. May it come from there the infection ?



#13 SVETLIN80

SVETLIN80
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 16 December 2015 - 01:36 PM

No, accepting cookies is not a problem. I asked you about this files because i have it ,they are suspected and i want to know are they the infektors, but maybe they are not....



#14 razpou

razpou

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 16 December 2015 - 01:46 PM

For info i have hundreds of files that i can't access anymore and that are renamed .RDM.

When i tried to do a registry cleaning after it appears that almost 2000 errors were present.

Maybe something to do with that... Don't know.
I did the registry cleaning but still , i can't access anything.



#15 razpou

razpou

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 16 December 2015 - 01:59 PM

-


Edited by razpou, 16 December 2015 - 02:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users