Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit by ransomware


  • Please log in to reply
5 replies to this topic

#1 LSeay

LSeay

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 31 December 2015 - 10:22 AM

Just found this awesome website and forum!! Been hit by this ransomware malware and trying to get it resolved!!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 AM

Posted 31 December 2015 - 03:46 PM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .encrypted, .locked, .crypto, _crypt, .crinf, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .EnCiPhErEd, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Is there any notice (message) which says something like..."Your files are locked and encrypted with a unique RSA-1024 key!"?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, About_Files.txt, 
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, Help_Decrypt.txt, HELP_DECYPRT_YOUR_FILES.HTML
YOUR_FILES.HTML, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_.txt, RECOVERY_FILES.txt, help_decrypt_your_files.html, YOUR_FILES.url
Howto_RESTORE_FILES_.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_.txt, restore_files_.txt
howto_recover_file_.txt, how_recover+****.txt, ,_how_recover_.txt, recover_file_*****.txt

Note: The (*) represents random characters which some ransom notes names may include.
Once we have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ElliGreece2

ElliGreece2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 07 January 2016 - 01:54 PM

MY FILES HAVE ALSO BEEN ENCRYPTED. NEW YEARS EVE. CAN ANYONE HELP? I HAVE A SMALL STORE ON AN ISLAND. I CAN'T AFFORD TO PAY THE RANSOM. THE FILES FOR THE PROGRAM I USE FOR STOCK, INVOICING ETC HAVE BEEN ENCRYPTED. EVERYTHING!!! THE BACK-UP TOO. THIS IS REALLY A HUGE PROBLEM FOR ME!! THEY ACTUALLY SENT ME A RANSOME NOTE VIA MY PRINTER. "IHAVEYOURSECRET.KEY" AND A NOTE "I AM READY TO PAY" WITH INSTRUCTIONS USING BITMESSAGE. HELP!!!


Edited by ElliGreece2, 07 January 2016 - 01:55 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 AM

Posted 07 January 2016 - 03:26 PM

...THEY ACTUALLY SENT ME A RANSOME NOTE VIA MY PRINTER. "IHAVEYOURSECRET.KEY" AND A NOTE "I AM READY TO PAY" WITH INSTRUCTIONS USING BITMESSAGE. HELP!!!

You are dealing with a variant of Win32/Filecoder.

Detailed description for the Win32/Filecoder.FD variant encrypts data with an .0x0 extension appended to the filename and leaves a READTHISNOW!!!.TXT and SECRET.KEY. Other variants have been reported with a .bleep or .1999 extension appended to the filename leaving ransom notes named FILESAREGONE.TXT, HELLOTHERE.TXT, IHAVEYOURSECRET.KEY, SECRETIDHERE.KEY. See this report at Kaspersky forums. The content of the ransom notes are essentially identical with instructions to go to http://bitmessage.org/.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:02:14 AM

Posted 07 January 2016 - 03:48 PM

I have noticed a lot of people reporting their data being encrypted as being a virus or malware of some sort.

Is this a misconception on their part or is some of this deliverd by virus or malware?

Just curieous.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 AM

Posted 07 January 2016 - 04:00 PM

Crypto malware and other forms of ransomware is typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Still another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Social engineering has become one of the most prolific tactics for distribution of malware, identity theft and fraud.

Crypto malware can also be delivered via exploit kits and drive-by downloads when visiting compromised web sites...see US-CERT Alert (TA14-295A).Some victims have encountered crypto malware from ransomware malware executables, packaged NW.js application using JavaScript or following a previous infection from one of several botnets such as Zbot (frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites...see US-CERT Alert (TA13-309A).

There also have been reported cases where crypto malware has spread via YouTube ads and on social media, a popular venue where cyber-criminals can facilitate the spread of all sorts of malicious infections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users