Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd Encryption....Which one is this?


  • This topic is locked This topic is locked
4 replies to this topic

#1 dwjtcg

dwjtcg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 28 December 2015 - 12:54 PM

Hi folks. I had a home user contact me over the weekend after she opened an e-mail. Short story: I have the system running in safe mode now and when I try to open any Office docs, the installer starts to run and then I get an error that says it doesn't recognize the license. Then I get another error that says the file cannot be opened. I found only a few text files that cause me to suspect its some version (?) of a crypto virus. Here is the text of the two files and their names:

 

(Name of file is)

recover_file_qhjbehuje

 

(Contains the following text / gibberish)

 

1LXUxTiLUgsfQCtbmJyP9S1uXGDQ8XLgcd
A69B593C54432A407F88988D0E8FA775E8B4228D3DC8BA12DE212B7C67CAFCDB
5FB399A084C0C2983362B5F7A52D7C6692AE4FE9ACB7003EDCF7244CC957838AB303FDE4CB0D056965FDE65B31D5567A396FFAF14F44EA2191C5CE92A8ED1850
8411ACAE9E34AE
80

 

The only other file I found is this one:

(name of file is)

recover_file_xjgkxlmrg

 

(contains the following text / gibberish)

1LXUxTiLUgsfQCtbmJyP9S1uXGDQ8XLgcd
A69B593C54432A407F88988D0E8FA775E8B4228D3DC8BA12DE212B7C67CAFCDB
5FB399A084C0C2983362B5F7A52D7C6692AE4FE9ACB7003EDCF7244CC957838AB303FDE4CB0D056965FDE65B31D5567A396FFAF14F44EA2191C5CE92A8ED1850
8411ACAE9E34AE
80

 

They seem to be the same as for context - did not go thru each to confirm that - would rather try to give a cat a bath than to fully compare the two files....

 

Any ideas, thoughts, comments or suggestions?

 

BTW - the customer had completed a full backup earlier in the week with a cloud solution I recommended to them, so there IS some god news in this. I am more curious as to what this one is...

 

Thanks!

DWJ



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 AM

Posted 28 December 2015 - 05:15 PM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of any suspicious executables (malicious files) that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dwjtcg

dwjtcg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 28 December 2015 - 07:20 PM

Thanks Quietman7. I submitted the file. I am going to see if I can locate any executables and maybe submit them as well.



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:37 AM

Posted 29 December 2015 - 02:59 PM

Hi dwjtcg,
 
It's TelsaCrypt, very common ransomware these days.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 AM

Posted 29 December 2015 - 03:25 PM

Thanks for confirming xXToffeeXx.


dwjtcg...A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by TeslaCrypt & Alpha Crypt ransomware can be found in this topic:There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users