Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Samas (encryptedRSA/AES) Ransomware Support Topic - HELP_DECYPRT_YOUR_FILES.HTML


  • Please log in to reply
16 replies to this topic

#1 mysteryz

mysteryz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 23 December 2015 - 01:06 PM

In a domain environment we are currently experiencing an encryption outbreak. We are unable to find the root of this virus because it appears to have administrative rights and is located on the C: drive of several servers and workstations. We are all too familiar with the former encryption viruses that would show up on share drives and be able to local the user by the 'Owner' of the "HOW_TO" files. It's not as simple with this virus. It is leaving 'HELPDECYPRT_YOUR_FILES.html" in all infected folders. I attached an image of the html.
 
 
All shadow copies have been deleted.
Real kicker is the client only runs local backups via Backup Exec to a NAS and all the .bkf files have been encrypted.
Has anyone had experience with this virus?

Attached Files


Edited by quietman7, 05 April 2016 - 08:05 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:02 PM

Posted 24 December 2015 - 09:00 AM

Our Security Colleagues who specialize in crypto malware ransomware have advised this appears to be something new and we are investigating.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:02 PM

Posted 24 December 2015 - 10:02 AM

Samples of any encrypted files or suspicious executables (malicious files) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 mysteryz

mysteryz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 28 December 2015 - 08:41 AM

I have posted a sample of the file to the link you sent me. 



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:02 AM

Posted 28 December 2015 - 10:09 AM

Hi mysteryz,
 
Do you know how you became infected (could have been a website you visited, or an email attachment you ran)? A colleague and I have been looking for a sample.
 
Unfortunately I have not seen any other cases.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 mysteryz

mysteryz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 28 December 2015 - 10:12 AM

Our technicians have not been able to find the original infection. They have run Rogue Killer and MBAM on all workstations and servers and found nothing. Most the servers are virtual so we have taken them offline and disabled the administrator account. So, not sure where or who got the virus. The client uses hosted Exchange from Office 365. 



#7 inspectorG

inspectorG

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 28 December 2015 - 10:17 AM

This Virus isn't behaving like any crypto we have seen before.

 

It only leaves help_decrypt_your_files.html and no other files.

 

We have not been able to find where it started from.  The usual places executables are found in are empty.  We have found no registry keys pertaining to anything encrypted.  The file extensions are .encryptedRSA which is an extension we also have never seen. 

 

Shadow copies are gone on most drives.

 

The owner of the help_decrypt files is either listed as administrator or administrators which is also very, very odd.

 

The most concerning part is that we cant seem to find where it started from.  It doesn't appear to be actively encrypting anymore, but when it was it would encrypt for several hours and then appear to stop, then it would wake up again and start encrypting.


Edited by inspectorG, 28 December 2015 - 10:18 AM.


#8 smendoza

smendoza

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 January 2016 - 07:48 AM

Same thing here as what inspectorG stated.  We did find that selfdel.exe and del.exe were running on the infected machines.  Killing the tasks or rebooting the systems didn't have them start back up.

 

I have uploaded a sample encrypted file as well.


Edited by smendoza, 03 January 2016 - 07:53 AM.


#9 r34ct1v3

r34ct1v3

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 04 January 2016 - 09:19 AM

This is an update to SMendoza's post.

 

So we ultimately found the host of this brand new variation of crypt0locker. We were able to locate it by reviewing the Windows Security Event log, mainly looking for logon events to the affected server or workstations between seconds to 10 minutes prior to the encryption starting.

 

This version uses 6 files as its program engine, however the method in which it gains access to the initial host is still undetermined. The files it uses are ps.exe, samsam.exe, f.bat, and reg.bat. It will store the affected systems public keys and exe files in the C:\temp on the host machine. The xml files will be stored as <servername>_PublicKey.xml.

 

This variation is still very new, and we are still looking into this, but we have already submitted the information to microsoft, and they have generated a new definition for this specific variation. The microsoft name for the virus is Ransom:MSIL/Samas.A in definition 1.213.1712.0.

 

As far as the decryption is concerned, I am not certain as to whether or not the encryption can be reversed, as we are in the mindset right now of every other cryptolocker recovery, either by restoration, or total loss.

 

As we look further into this, I'll update this with what each component of this does. I know right now that f.bat is the cause for the removal of all shadow copies.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:02 PM

Posted 04 January 2016 - 01:57 PM

...I know right now that f.bat is the cause for the removal of all shadow copies...

Most ransomware infections typically delete (though not always) all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. VSSadmin is an administrative tool used to manipulate Shadow Volume copies but most folks will never need to use it and renaming the file does not affect System Restore or disable Shadow Volume copies. However, any ransomware that relies on vssadmin.exe will not be able to use it since renaming makes the file appear non-existant when the malware tries to execute it.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Lomgren

Lomgren

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 18 January 2016 - 12:42 PM

Is there any update on this version of cryptolocker?  I know it is fairly new, but I was wondering if there is any way to detect and remove it, even without recovering the encrypted files.  Or is restoring from backups the only option at this point?



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:02 PM

Posted 18 January 2016 - 05:16 PM

...I was wondering if there is any way to detect and remove it, even without recovering the encrypted files.  Or is restoring from backups the only option at this point?


Crypto ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection after the encrypting is done since they are no longer needed. However, you don't know how long the malware was on the system before you were alerted or if another piece of malware was responsible for installing it. If other malware was involved it could still be present if your antivirus did not detect and remove it. You can supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET Online Scanner is one of the more effective online scanners, followed by a scan with Malwarebytes Anti-Malware.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.


As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. Most ransomware infections will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do since it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.In some cases file recovery tools such as R-Studio or Photorec to recover some of your original files may be helpful but there is no guarantee that will work.

If that is not a viable option and if there is no fix tool, the only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a possible solution so save the encrypted data and wait until that time.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:02 PM

Posted 21 March 2016 - 05:20 PM

Looks like this infection is related to this:

https://blog.knowbe4.com/fbi-and-microsoft-warn-against-hybrid-ransomware-attack
http://eweb.cabq.gov/CyberSecurity/Security%20Related%20Documents/FLASH%20MC-000068-MW.pdf
https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/

Have a media/press request for anyone who was affected by this ransomware and who would potentially be willing to talk to them. If you are interested, please send me a private message and I will send over relevant info.

#14 rclinard

rclinard

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 06 April 2016 - 08:37 AM

anyone have any update on this as far as decryption is concerned?  I, in particular, have the encryptedAES variant...



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 PM

Posted 06 April 2016 - 09:29 AM

anyone have any update on this as far as decryption is concerned?  I, in particular, have the encryptedAES variant...

 

Afraid not. This one uses strong cryptography, and the asymmetric private RSA key is passed manually by the attackers then deleted. Your entire network is compromised if you have been hit by this, as the hackers have literal access to all systems with remote access, and laterally move about the network. The initial vector attack is a vulnerability with out-dated JBoss utilities.

 

The FBI has actually become involved with this one and has put out an advisory: http://www.reuters.com/article/us-usa-cyber-ransomware-idUSKCN0WU1GB

 

You can read more about this ransomware in this topic, with my technical analysis in Post #13.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users