Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ransomware variant: filename- .id-1234567890_sos@encryption.guru


  • This topic is locked This topic is locked
5 replies to this topic

#1 gonium

gonium

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 13 January 2016 - 11:58 AM

Hello all,

 

I have a client who has been infected with a ransomware, maybe its a new variant from the Rakhni family but the Kaspersky tool for getting decryption keys (http://support.kaspersky.com/viruses/disinfection/10556) doesnt work.

 

Moreover, my client has their computers frozen with DeepFreeze. So, the ransomware did their job, that person rebooted the computer and the ransomware dissapeared leaving all the personal files encripted in a different partition...

 

Any idea about how dealing with this?.

 

Best,



BC AdBot (Login to Remove)

 


#2 Virtj

Virtj

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 13 January 2016 - 12:31 PM

Hello all, 

I have the same problem .

I have a storage nas with a file encripted with this extension  "sos@encryption.guru"

The local file in the computer haven't a problem . If i rebooted the computers It does not appear the same screen instructions as others ransomware .

Why encrypted my you do not want money.

 

I want to find a infected computer beaucase thre is not a signal of infection. 

 

Thanks for the help . 



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:11 AM

Posted 13 January 2016 - 01:10 PM

Hello all, 

I have the same problem .

I have a storage nas with a file encripted with this extension  "sos@encryption.guru"

The local file in the computer haven't a problem . If i rebooted the computers It does not appear the same screen instructions as others ransomware .

Why encrypted my you do not want money.

 

I want to find a infected computer beaucase thre is not a signal of infection. 

 

Thanks for the help . 

 

If you check the owner of an encrypted file, it should show what user was hit hopefully.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 patrick.croner

patrick.croner

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, Quebec, Canada
  • Local time:08:11 AM

Posted 13 January 2016 - 01:29 PM

Hey,

 

I hate to break it to you, but if you have no trace left of the origin of the infection or the type of infector after having done the system reset, there's no way to recover the files unless you have a backup of them some where.

 

Hope this helps!

 

Patrick C.
 



#5 Virtj

Virtj

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 13 January 2016 - 01:49 PM

Patrick.croner i have many computers in the infrastracture , fortunately i have a backup . My problem is identificate that computer have a infection because there is nothing in the computers (windows with allert or the same. ) 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:11 AM

Posted 13 January 2016 - 06:17 PM

It is believed these infections are part of a ransomware kit that different affiliates utilize with their own payment email addresses which explains all the "@" ransomwares which have been reported. In some cases encrypted files will have the {CRYPTENDBLACKDC} extension appended to the end of the filename.

RakhniDecryptor is able to brute force the decryption key for some of these <filename>.<original_extension>."@" and <filename>.<original_extension>.[random]* variants but not all of them.

Fabian Wosar has a decryption utility for Gomasom .Crypt Ransomware which has had success with some "@" ransomware variants.

There are going discussions in these related topics where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of the above topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users