Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Encryption Virus


  • Please log in to reply
10 replies to this topic

#1 silumor

silumor

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 23 February 2016 - 10:25 AM

Hi,

 

Today I was fortunate to come across a new encryption virus. I say new cause its new to me.

 

I had a computer come to me with problems of persistent pop-ups.

 

Upon checking this system I was given a boot drive is missing error.

 

Naturally I checked the hard drive first. It was present and working perfectly.

 

So start taking steps to repair boot partition, then I realize the install partition is gone.

 

After checking the drive I see the recovery partition is still there.

 

I open up the recovery partition to find help_decrypt.txt and html and others with similar name

 

all dated months ago. opening these file only yields scrambled symbols inside and no clue as

 

to the virus name. It appears that when he failed to pay the ransom that they somehow wipe his drive.

 

I have no other clue and no other files to go by for this incident. I say its new because I have never see

 

encryption virus do this. Anyone ever see this before?


Edited by hamluis, 23 February 2016 - 07:16 PM.
Moved from Crashes/BSODs to General Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:03 AM

Posted 23 February 2016 - 05:27 PM

There's lot's of encryption malware out there.

I'd suggest posting over in the Am I Infected forum:  http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Please read the pinned topics at the top of the forum for instructions on how to post there.

 


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:03 AM

Posted 23 February 2016 - 05:29 PM

Are there any extensions on the files, or alterations to the filenames? Can you provide a few sample encrypted files, along with a ransom note?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 silumor

silumor
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 23 February 2016 - 06:39 PM

ransome note was scrambled and the only files left are the basic ransome .txt files



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 23 February 2016 - 09:13 PM

...I open up the recovery partition to find help_decrypt.txt and html and others with similar name...


CryptoWall 3.0 leaves files (ransom notes) with names like HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, and HELP_DECRYPT.PNG.

Uniquekey@dr.com and crydhellsek@gmail.com Ransomware encrypts your data and appends a .crypt, .pzdc, or .good extension to the end of each filename. cwall@dr.com is a newer variant which appends a .R16M01D05 extension to the end of each filename. They typically leave files (ransom notes) named Help_Decrypt.txt similar to CryptoWall.

Are there any file extensions appended to files...such as those noted above or something else?

These are some of the more common ransomware file extensions appended to encrypted files....ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .encrypted, .locked, .crypto, _crypt, .crinf, .XRNT, .r5a, .XTBL, .YTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, _sq., .toxcrypt, .magic, .ENC, .locky, .SUPERCRYPT, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 silumor

silumor
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 24 February 2016 - 10:55 AM

Well his problem was that all his files and the main installation partition was erased when he failed to pay the ransom (erased by the virus or the ransomer) in some way. This is more of a heads

up or be on the look out then a I need help issue. I was just wondering if anyone else had seen a encryption virus that wipe the drive when

the victim failed to pay, wiped it so well that only traces left are help_decrypt.txt and help_decrypt.html files and thats it, and the contents of those files

are even scrambled with symbols.


Edited by silumor, 24 February 2016 - 10:56 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 24 February 2016 - 11:09 AM

There are many types of ransomware and many different names for the ransome notes they leave. Although notes are often similar only the two I noted above leave notes named Help_Decrypt.txt. For those victims who chose not to pay...as far as I am aware of, there have been no reports of such destructive behavior. We will certainly keep vigilant for any more reports.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:03 AM

Posted 24 February 2016 - 11:12 AM

We've only seen a few reports of systems having their MBR tampered with from the sound of it, never one that wiped partitions.

 

I would definitely run some recovery through a recovery disk like PartedMagic, with tools such as TestDisk or PhotoRec. There may be a way to possibly recover the deleted files, or possibly just the partition table was damaged and the files can be recovered with raw recovery.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 24 February 2016 - 11:30 AM

If you're interested you can read about infections targeting the Master Boot Record in this BC News artilce...New infection ransoms your computer with fake encryption message.

A recent report can be found in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 silumor

silumor
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 24 February 2016 - 01:16 PM

Thanks I ry to keep up with all the new ones listed on your site as well I read all new post here as much as i can



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 24 February 2016 - 02:19 PM

Not a problem.

A repository listing of all Bleeping Computer Crypto malware Information and ransomware topics can be found in this index which I try to keep current.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users