Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KeyBTC ransomware (DECRYPT_YOUR_FILES.txt) Support Topic


  • Please log in to reply
41 replies to this topic

#1 mhaider

mhaider

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 20 January 2016 - 06:17 PM

A user opened an email attachment and the following text message named DECRYPT_YOUR_FILES.txt opened,
 
449743_readme
 
ATTENTION:
 
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.5 BTC (bitcoins). To do this:
 
1. Create Bitcoin wallet here:
 
 https://blockchain.info/wallet/new
 
2. Buy 0.5 BTC with cash, using search here:
 
 https://localbitcoins.com/buy_bitcoins
 
3. Send 0.5 BTC to this Bitcoin address:
 
 oJHR97yvh97wrjvwlkrcnqrp79w9rvqnrvj
 
4. Send any e-mail to:
 
 keybtc@inbox.com
 
After that you will recieve e-mail with detailed instructions how to restore your files.
 
Remember: nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
Your files will be decrypted as quick as you make payment.
 
After finding out about the mishap I have done the following,

  • removed PC from the network
  • ran Symantec Endpoint Protection, Malwarebytes, and other scanners that I don't remember the names
  • Malwarebytes found the following,
  • Trojan.Agent.Gen                                     HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|load
  • PUM.Optional.UserWLoad                        HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|load
  • Trojan.Agent                                             HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|InterPowerAgent6
  • Worm.AutoRun.Gen                                 HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|msnat5fef77ff
  • Worm.AutoRun.Gen                                 HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|msnat3cbf52cf
  • The only mapped drive is to the users My Documents folder on a file server.  There are network shares that I setup using the Windows 7 Add Network Location Wizard
  • From what I can tell no files have been encrypted, but I'd still like some guidance 

I would be happy to give more info if need be.
 
Thank you in advance!



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:36 AM

Posted 20 January 2016 - 06:31 PM

Do your files have any extensions added to them, or other changes to the filename?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 20 January 2016 - 06:43 PM

Do the extensions look like these?
*.jpg.keybtc@inbox_com
*.doc.keybtc@inbox_com

KeyBTC uses RSA (PGP) encryption, appends a .keybtc@inbox_com extension to the end of each file name and leaves files (ransom notes) with names like DECRYPT_YOUR_FILES.txt, Read.txt, random numbers_readme. More information in this BC News article: KeyBTC, a simple yet effective encrypting ransomware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:36 AM

Posted 20 January 2016 - 06:52 PM

If it is indeed KeyBTC, it looks like no developments on cracking it unfortunately. Seems an old one too, unless this is a new version of it?

 

http://www.bleepingcomputer.com/forums/t/556942/keybtc-a-simple-yet-effective-encrypting-ransomware/

 

I'm curious though, can you post a link to a zip file with an encrypted file, and the File1.bin and File2.bin if you see them in your temp files?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 20 January 2016 - 07:24 PM

Yes that was the only topic we had and no reports since then.

Unfortunately, once a computer has been infected and its data is encrypted, the only way to recover the files is to pay a ransom to the malware developer who will then send the computer's decryption key.

In mhaider's case, if no files were encrypted, then it appears the infection did not do what it was supposed to do.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 mhaider

mhaider
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 20 January 2016 - 07:51 PM

Do your files have any extensions added to them, or other changes to the filename?

No added file extensions or other changes to the filename.  At this point, all files are still accessible.


Do the extensions look like these?
*.jpg.keybtc@inbox_com
*.doc.keybtc@inbox_com

KeyBTC uses RSA (PGP) encryption and appends a .keybtc@inbox_com extension to the end of each file name.

No added extensions, or file changes. Files are still accessible. 



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:36 AM

Posted 20 January 2016 - 07:53 PM

Weird... I would backup the data immediately, perhaps it hasn't ran yet. If you find any malicious files, I'm sure the crypto team would like a look at it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 mhaider

mhaider
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 20 January 2016 - 08:00 PM

Yes that was the only topic we had and no reports since then.

Unfortunately, once a computer has been infected and its data is encrypted, the only way to recover the files is to pay a ransom to the malware developer who will then send the computer's decryption key.

In mhaider's case, if no files were encrypted, then it appears the infection did not do what it was supposed to do.

My hope is that the infection failed, the user that opened the attachment said a message came up saying opening this file was not recommended or something to that affect, so she cancelled the operation.  I can't find the files that Malwarebytes found in the registy, maybe it was partially executed, but didn't get to the encryption part.  Is it possible there is a time delay involved? I'm not concerned with the users PC, I can restore that easy enough, I'm worried about something getting to the servers.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 20 January 2016 - 08:00 PM


Samples of any ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 mhaider

mhaider
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 20 January 2016 - 08:02 PM

Samples of any ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

Thanks!  I will see if I can come up with something to seen tomorrow.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 20 January 2016 - 08:09 PM

...I can't find the files that Malwarebytes found in the registy, maybe it was partially executed, but didn't get to the encryption part.  Is it possible there is a time delay involved?

Anything is possible. Most crypto ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. However, most victims don't know how long the malware was on the system before they were alerted or if another piece of malware was responsible for installing it. If other malware was involved it could still be present if your antivirus did not detect and remove it. Since no files were encrypted, you may want to perform a few more security scans.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 mhaider

mhaider
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 20 January 2016 - 08:39 PM

 

...I can't find the files that Malwarebytes found in the registy, maybe it was partially executed, but didn't get to the encryption part.  Is it possible there is a time delay involved?

Anything is possible. Most crypto ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. However, most victims don't know how long the malware was on the system before they were alerted or if another piece of malware was responsible for installing it. If other malware was involved it could still be present if your antivirus did not detect and remove it. Since no files were encrypted, you may want to perform a few more security scans.

 

 

Any suggestions on what to use for security scans?



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 20 January 2016 - 08:59 PM

List of Free Scan & Disinfection Tools to supplement your anti-virus or get a second opinion

From that list, I would recommend any (or a combination) of the first seven.

You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan. ESET is one of the more effective online scanners.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 mhaider

mhaider
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 21 January 2016 - 12:39 PM

 

...I can't find the files that Malwarebytes found in the registy, maybe it was partially executed, but didn't get to the encryption part.  Is it possible there is a time delay involved?

Anything is possible. Most crypto ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. However, most victims don't know how long the malware was on the system before they were alerted or if another piece of malware was responsible for installing it. If other malware was involved it could still be present if your antivirus did not detect and remove it. Since no files were encrypted, you may want to perform a few more security scans.

 

 

I scanned the PC multiple times with different scanners from the link you sent me in a different post and nothing gets found.  Malwarebytes is the only scanner that found what I posted in the first post.  It's looking like we got lucky, at least I hope so.  I'm re-imaging the PC and I'm going to restore from backup what few documents were on the PC.

 

Thanks for everyone's help!



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 21 January 2016 - 04:32 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users