Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitmessage (Ungluk) Ransomware (.bleep, .1999, .0x0, .H3LL, .fu*k)


  • Please log in to reply
19 replies to this topic

#1 quetzalin

quetzalin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 23 December 2015 - 06:00 PM

Hello!,
 
I'm coming here asking desperately for help. One of the computers at a friend's office got infected with one of these Cryptolocker virus, so he doesn't have access to any of the crucial files like databases, docs, pdfs... and also the network shared folders got infected too :unsure: .
 
He doesn't have a backup so he is really screwed so far.
 
All the infected files got an extension .bleep added to them (example. document.pdf.bleep), and he has two files on every infected folder; FILESAREGONE.TXT and IHAVEYOURSECRET.KEY
 
The text inside the IHAVEYOURSECRET.KEY is a public key i think (just a bunch of random characters ending in ==).
 
The text inside the FILESAREGONE.TXT is the typical ransom text from this infections:
Hello.
All your files have been encrypted using our extremely strong private key. There is no way to recover them without our assistance. If you want to get your files back, you must be ready to pay for them. If you are broke and poor, sorry, we cannot help you. If you are ready to pay, then get in touch with us using a secure and anonymous p2p messenger. We have to use a messenger, because standard emails get blocked quickly and if our email gets blocked your files will be lost forever.
 
Go to http://bitmessage.org/, download and run Bitmessage. Click Your Identities tab > then click New > then click OK (this will generate your personal address, you need to do this just once). Then click Send tab. 

TO: xxxxxxxxxxxx
SUBJECT: name of your PC or your IP address or both. 
MESSAGE:  Hi, I am ready to pay.

Click Send button.

You are done.

To get the fastest reply from us with all further instructions, please keep your Bitmessage running on the computer at all times, if possible, or as often as you can, because Bitmessage is a bit slow and it takes time to send and get messages. If you cooperate and follow the instructions, you will get all your files back intact and very, very soon. Thank you.
I uploaded an infected .pdf file here so u can download it and check and here is the original file not infected (i'm not sure if this is actually exactly the original tho :( )
 
So far i desinfected the computer, and tried to rename all the files back with an script but it obviously didn't help since they are... encrypted.
 
Is there any tool i can use so i can scan which files are infected/encrypted in the whole system?. I found two tools so far, http://omnispear.com/cryptolocker-scan-tool/ and http://download.bleepingcomputer.com/grinler/ListCrilock.exe but i'm not sure it will scan some of the files he has (some got an strange extension which are databases used with his invoice programs, but i think they are actually .DBF files).
 
Also, do u think i will have any luck restoring files using Windows Shadow Copy?, i will check later tomorrow if his Windows even has this feature installed/enabled (the computer has Windows XP).
 
Thanks a lot!

Edited by quietman7, 17 June 2016 - 09:58 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:05 PM

Posted 23 December 2015 - 06:32 PM

Appears to be a new ransomware infection but the ransom note language looks similar to this report at Kaspersky forums but uses different names.

...Is there anyway to decrypt files that have the *.1999 extention.... I also noticed 2 files next to them:
1. Hellothere.txt
2. Secretishere.key


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quetzalin

quetzalin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 23 December 2015 - 08:25 PM

Appears to be a new ransomware infection but the ransom note language looks similar to this report at Kaspersky forums but uses different names.

...Is there anyway to decrypt files that have the *.1999 extention.... I also noticed 2 files next to them:
1. Hellothere.txt
2. Secretishere.key


I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

 

 

Okay, i submited one sample of an encrypted file together with its original (or at least a copy of what i think is the original).

I will try to get any malicious executables, don't know if i still got any left, since i already desinfected the computer but i will double check those folders/locations.

 

Thanks!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:05 PM

Posted 23 December 2015 - 08:30 PM

Not a problem.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:05 PM

Posted 23 December 2015 - 11:07 PM

I did some more research and it appears you are dealing with a variant of Win32/Filecoder...(aka Gpcode ransomware or Encoder) which has been around for years, uses a secure encryption algorithm and is not decryptable.Win32/Filecoder is a crypto malware infection detected by ESET. According to their research lab, there are several different variants for which they add a modifier or additional information after the name that further describes what type of ransomware it is. Most of the Filecoder (Encoder) threat detections are more commonly identified as CryptoLocker, Cryptowall, and CTB locker but they are not actually the same.The Win32/Filecoder.FD variant encrypts data, appends an .0x0 extension to the end of each filename and leaves a ransom note named READTHISNOW!!!.TXT with a SECRET.KEY file. Other variants have been reported with a .H3LL, .bleep, .1999 or .fu*k extension appended to the filename, leaving ransom notes with names like FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, BLEEPEDFILES.TXT and IHAVEYOURSECRET.KEY, SECRETIDHERE.KEY files. In this this report at Kaspersky forums...the content of the ransom notes are essentially identical with instructions to go to hxxp://bitmessage.org/.

.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quetzalin

quetzalin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 24 December 2015 - 06:53 PM

Okay, after all the information you provided we decided to take a leap of faith and pay.... because without the lost information their company will collapse.

 

So i started with them the process to contact the virus author and we actually got a few replies from him.

 

First he asks to be paid in bitcoins, he asks for 2.5 bitcoins which is about 1000 euro, quite an important amount of money....

 

But, before we pay anything, i told him i need a proof he can actually decrypt the files, he accepted to decrypt an unique file, so i sent him a .pdf AND another important thing is and i also told him i need an explanation how the decrypting process will be since i'm not sure how this works; i think I've seen on other threads here (and/or other sites), they usually use the same .exe or whatever the virus your computer is infected with to do the decrypt process. The problem is, the computer is already disinfected (or at least i think so, since i removed with malware scanners and manually any trace of suspicious files) so there shouldn't be anything and this method won't work.

I guess i will need a decrypter executable together with the private key, is there any public decrypter i can use or should the attacker provide me one?, and i hope the decrypter will be able to scan the whole disk since we don't know 100% the location of every infected database file (their hard drive file tree is an huuuuuuge mess).

 

Thanks!


Edited by quetzalin, 24 December 2015 - 07:10 PM.


#7 wajika

wajika

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 25 December 2015 - 08:23 AM

Is there a way to repair the file?



#8 quetzalin

quetzalin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 28 December 2015 - 05:36 AM

Hello again!

 

Today we got the decrypt.exe and the private key file.... the problem is, i need to do it file by file... this is going to take aaaaaaaaages this way.

 

The command line for the decrypt.exe i got is the next:

DECRYPTOR Usage: decrypt.exe -k [key of decrypt] -f [file for decrypt] -e [extension of file with dot]

I'm trying to figure a way to automate the process or make it faster... and i'm trying to do it with a .bat script

 

This is what i got so far but don't if it will work:

FOR /R %%f IN (*.bleep) DO decrypt.exe -k decrypt.key -f "%%f" -e "%%~xf"

(I'm going to edit manually every .bat with the correct extension since not all the encrypted files are actually .bleep)

 

Actually, is there any way to indicate to the script a list with all the extensions?

 

My idea is to just run it on C:\ and let it recursively check every file with the extension...

 

Don't know if that will work!

 

Thanks!


Edited by quetzalin, 28 December 2015 - 06:11 AM.


#9 quetzalin

quetzalin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 28 December 2015 - 11:08 AM

Ok, forget about the batch script, i got it working.

 

Now i have a bigger problem, and i don't know between ALL the files i got, which ones require to be decrypted and which ones doesn't (mostly database files like .dbf files), i hate myself right now, because if i didn't batch remove the .lol extension from the infected files i would be able to know now easly......

The thing is, if i run the utility on a non encrypted file, the file gets corrupted :/ so i need to know exactly which ones...

 

Is there any chance somewhere/someone can build an utility that scans my filesystem with a list of the encrypted files?.

 

If it helps i can provide the decrypter.exe and the .key file i got from the hacker, i can also provide an encrypted and a decrypted file so comparing them maybe something can be made...

 

Thanks :(



#10 wajika

wajika

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 28 December 2015 - 10:15 PM

Ok, forget about the batch script, i got it working.

 

Now i have a bigger problem, and i don't know between ALL the files i got, which ones require to be decrypted and which ones doesn't (mostly database files like .dbf files), i hate myself right now, because if i didn't batch remove the .lol extension from the infected files i would be able to know now easly......

The thing is, if i run the utility on a non encrypted file, the file gets corrupted :/ so i need to know exactly which ones...

 

Is there any chance somewhere/someone can build an utility that scans my filesystem with a list of the encrypted files?.

 

If it helps i can provide the decrypter.exe and the .key file i got from the hacker, i can also provide an encrypted and a decrypted file so comparing them maybe something can be made...

 

Thanks :(

 

Hello quetzalin can you provide decrypt.exe try to decrypt this to me,thanks



#11 wajika

wajika

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 03 January 2016 - 08:16 PM

Does anyone else have decryption tool?



#12 quetzalin

quetzalin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 04 January 2016 - 03:30 AM

Does anyone else have decryption tool?

 

Sorry about being so slow. I uploaded the tool for you and anyone who wants to gut and play with it. The download link is here: https://www.sendspace.com/file/046n81

 

(I also uploaded it to the forum using the Malware submit tool).

 

I didn't upload the private key, you will need the private key in order for it to work. The private key must have the name decrypt.key and be on the same folder as the .exe

 

The tool has two working modes;

  1. Contrary to what i said before it has an automatic mode but it is kinda dangerous if u ask me and will explain later.
    You can just execute the .exe and it will ask the file extension you want to decrypt, in my case it was .bleep so i just type .bleep and on the next step literally type Yes, the tool will run on every file with the typed extension in your computer and shared folders (and not only on the folder where the .exe is) decrypting them and removing the .bleep extension so they are left with the original one, seems easy but... NOW, why i say it is dangerous?, because at least in my case, NOT every .bleep file renamed by the virus was actually encrypted. So what happens if the tool runs over non encrypted files?, they get encrypted! and it uses a different private key so your decrypt.key is invalid so be VERY careful, backup your data before you try anything with this tool.
  2. Manual mode, explained previously, DECRYPTOR Usage: decrypt.exe -k [key of decrypt] -f [file for decrypt] -e [extension of file with dot]

Don't know if anyone can check this tool and actually try to obtain the private key it uses to actually encrypt your data.


Edited by quetzalin, 04 January 2016 - 03:32 AM.


#13 wajika

wajika

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 12 January 2016 - 02:37 AM

 

Does anyone else have decryption tool?

 

Sorry about being so slow. I uploaded the tool for you and anyone who wants to gut and play with it. The download link is here: https://www.sendspace.com/file/046n81

 

(I also uploaded it to the forum using the Malware submit tool).

 

I didn't upload the private key, you will need the private key in order for it to work. The private key must have the name decrypt.key and be on the same folder as the .exe

 

The tool has two working modes;

  1. Contrary to what i said before it has an automatic mode but it is kinda dangerous if u ask me and will explain later.
    You can just execute the .exe and it will ask the file extension you want to decrypt, in my case it was .bleep so i just type .bleep and on the next step literally type Yes, the tool will run on every file with the typed extension in your computer and shared folders (and not only on the folder where the .exe is) decrypting them and removing the .bleep extension so they are left with the original one, seems easy but... NOW, why i say it is dangerous?, because at least in my case, NOT every .bleep file renamed by the virus was actually encrypted. So what happens if the tool runs over non encrypted files?, they get encrypted! and it uses a different private key so your decrypt.key is invalid so be VERY careful, backup your data before you try anything with this tool.
  2. Manual mode, explained previously, DECRYPTOR Usage: decrypt.exe -k [key of decrypt] -f [file for decrypt] -e [extension of file with dot]

Don't know if anyone can check this tool and actually try to obtain the private key it uses to actually encrypt your data.

 

 

 

 

I'm sorry, I forgot to reply

this tool cannot decrypt my file :(
 



#14 zebong

zebong

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 14 January 2016 - 10:14 AM

hi,

 

the key is the file that are in the folder  with the name IHAVEYOURSECRET.KEY

 

Thanks



#15 TaterHawk

TaterHawk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 02 May 2016 - 10:47 PM

Hello my office has been hit wth the ransomeware that has changed our file extensions to "crypt".  We got the ransom request note that tells us to go to .onion and buy bitcoin to get our files back.  That is not an option. Please, I have researched and read all that I can understand online "other than the advertising hacks" I have identified the culprit who let this crap into our network as being an old XP machine our boss was running in tandem with a newer computer on our network.  I have "cut off the infected appendage" ie disconnected his XP machine, the crypto locker completely locked all his files.  We have scanned all the other computers on the network and they are clean, but the server were all our files are stored are all locked.  Is 5 years if very hard work just gone?  Are we just screwed? We had a back up hard drive and it got that also.

Any help would be greatly appreciated.

Tater






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users