Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

7ev3n (.r5a) Ransomware Support and Help Topic - A13-1.exe


  • Please log in to reply
14 replies to this topic

#1 Ahaas

Ahaas

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 20 January 2016 - 06:02 PM

Have dozons of client computers infected with what looks like a new form of Ransomware. 
asks for 13 Bitcoins - seems to delete Word files and replace with 1.r5a, 2.r5a etc.  have not been able to find any info through Google that might help. 
Any help on tracking down and killing this thing would be great...
 
thanks
Andy

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 20 January 2016 - 06:09 PM

Can you upload a sample encrypted file to a third-party sharing site and share it here? Do you have any ransom notes?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Ahaas

Ahaas
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 20 January 2016 - 06:14 PM

On the Server there is a file A13-1.exe on the Administrator desktop. this displays the order for the Bitcoin payout.

 

there is also a files UAC.exe, System.exe under the server administrator's Appdata folder and regkey

HKLM/Software/Microsoft/Windows/Currentversion/run/ that executes System.exe.  not sure how it gets in or how it spreads (looks like through server shares)...



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:05 PM

Posted 20 January 2016 - 06:31 PM

The BC staff has advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file and ransom note here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

You can also submit samples of any suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables related to ransomware infections may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:05 PM

Posted 20 January 2016 - 07:19 PM

Can you please submit the samples of A13-1.exe, UAC.exe, System.exe, some encrypted files, any ransom notes, etc. Also look in the %temp% folder for suspicious folders/files that you can include.

Please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#6 Ahaas

Ahaas
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 20 January 2016 - 07:23 PM

I have uploaded what I can.  Included copies of the infected files and whatever i have found.  (careful with it - this is bad stuff)



#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:05 PM

Posted 20 January 2016 - 07:23 PM

I see that you submitted them. Am looking.

#8 Ahaas

Ahaas
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 21 January 2016 - 02:52 PM

Have things cleaned up (mostly).  Damaged files we are currently recovering from backups.  Did also find the startup lines -  HKLM/Software/Microsoft/Windows/CurrentVersion/Run/"system.exe" and HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/Shell points to "system.exe.

Hope no one else has to go through this mess...



#9 Dackey

Dackey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 03 May 2016 - 10:49 AM

Hi to all,
I need your advice for my friend's sad case  :( . He got 7ev3n-HONE$T which renames files to R5A extension. If anyone know how to decrypt, it will be veeeery nice. His files are on D partition of lap top. But if there is no help, what will happen if we install new windows on infected C system drive? Will it make documents on D visible or it will be the same?
Thanx in advance and brgds,
Dackey


#10 Tonpri

Tonpri

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 28 May 2016 - 09:26 AM

Good morning friends! Just send through the link http://www.bleepingcomputer.com/submit-malware.php?channel=3 one of thousands of files that were encrypted by my 7ev3n with .R5A extension.
 
Can you help me , please? I have many personal files for years and years and honestly can not lose them anyway.
 
I will be very grateful if you can help me . Thank you very much!


Edited by Tonpri, 28 May 2016 - 10:29 AM.


#11 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:05 PM

Posted 28 May 2016 - 11:54 AM

See this artricle:http://www.bleepingcomputer.com/news/security/the-7ev3n-honest-ransomware-encrypts-and-renames-your-files-to-r5a/

 

See DemonSlay's post for a possible solution!


Edited by cybercynic, 28 May 2016 - 12:05 PM.

We are drowning in information - and starving for wisdom.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 28 May 2016 - 12:02 PM

Good morning friends! Just send through the link http://www.bleepingcomputer.com/submit-malware.php?channel=3 one of thousands of files that were encrypted by my 7ev3n with .R5A extension.
 
Can you help me , please? I have many personal files for years and years and honestly can not lose them anyway.
 
I will be very grateful if you can help me . Thank you very much!

 

You can try hasherezade's decoder possibly, test it on a few files first. It requires use of Python. I'm not sure on the full state of it, but I think it can get the key for the R5A variant and restore files if you have a pair of files (one encrypted, and a clean copy of the same file). You may also need to know if this is 7ev3n (old), or 7ev3n-HONE$T. I haven't played with it in awhile though.

 

https://github.com/hasherezade/malware_analysis/tree/master/7ev3n


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Tonpri

Tonpri

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 29 May 2016 - 04:16 PM

Demonslay335,

 

 this is a 7ev3n-HONE $ T.

 

But I can not use this tool to find the correct key . Not even decrypt .. .you could help me ? not really know what to do .... need a lot of help from you , please!


Edited by Tonpri, 29 May 2016 - 04:21 PM.


#14 Tonpri

Tonpri

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 29 May 2016 - 04:20 PM

 

Good morning friends! Just send through the link http://www.bleepingcomputer.com/submit-malware.php?channel=3 one of thousands of files that were encrypted by my 7ev3n with .R5A extension.
 
Can you help me , please? I have many personal files for years and years and honestly can not lose them anyway.
 
I will be very grateful if you can help me . Thank you very much!

 

You can try hasherezade's decoder possibly, test it on a few files first. It requires use of Python. I'm not sure on the full state of it, but I think it can get the key for the R5A variant and restore files if you have a pair of files (one encrypted, and a clean copy of the same file). You may also need to know if this is 7ev3n (old), or 7ev3n-HONE$T. I haven't played with it in awhile though.

 

https://github.com/hasherezade/malware_analysis/tree/master/7ev3n

 

 

Demonslay335,

 

 this is a 7ev3n-HONE $ T.

 

But I can not use this tool to find the correct key . Not even decrypt .. .you could help me ? not really know what to do .... need a lot of help from you , please!



#15 madona1

madona1

  • Banned Spammer
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 25 August 2016 - 01:22 PM

Hello friends
Currently my computer is infected with viruses encoding * .R5A
I send attachment you help me decipher
thank you

https://drive.google.com/file/d/0B-ZrfK_6XYhUWVQtemtqWG53ZFk






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users