Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptowall 4.0 or not?


  • This topic is locked This topic is locked
10 replies to this topic

#1 spangenb

spangenb

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 01 March 2016 - 12:41 PM

Late last week we discovered about 14k files at one of our sites that were encrypted and the file names were also encrypted.  At first glance we figured it was Cryptowall 4.0 due to the encrypted file names, but a couple of things are not adding up:

  • There are no ransom note files anywhere.  Not at the affected site, and not at any other sites.
  • There are common file types left untouched sitting right next to encrypted files:  pdf, txt, doc, pst, jpg, etc.

The files were all changed between 1/26/16 and 1/28/16.  It took them a month to notice it!  We are recovering the files from backup, but are left wondering what encrypted the files.  The file ownership was changed to a person at a remote site, but that person's PC has come up clean.  We reviewed our SEP logs for that time period and there was nothing of interest happening.

 

Is it possible to analyze the encrypted files to determine if a known crypto malware strain is the culprit?  I have several examples available.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 AM

Posted 01 March 2016 - 12:44 PM

If you post a few examples, we might be able to determine the variant based on the byte signature and filenames. Typically CryptoWall 4.0 leaves a ransom note by the name of Help_Your_Files with various extensions.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 01 March 2016 - 12:58 PM

I'm not sure how to upload files.  Can I upload them to the forum or should I use some other service and post a link here?

 

This is the confusing thing ... no ransom notes at all.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 AM

Posted 01 March 2016 - 01:09 PM

Ya, you can use a third-party site like SendSpace or WeTransfer and post the link here.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 01 March 2016 - 01:20 PM

Here's a link to download the encrypted files (4 of them):

 

https://apitechnologies.sharefile.com/d-s309835d053749d1a



#6 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 10 March 2016 - 11:49 AM

Has anybody looked at these files?  Any feedback?  Our investigation points to some one-off piece of software that doesn't have any of the hallmarks of the known crypto malware variants, but I was hoping the encryption method would shed some light on things.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 AM

Posted 10 March 2016 - 11:55 AM

Sorry, the notification for this topic must've been buried.

 

Definitely CryptoWall 4.0 I'm afraid. All 4 files have the same 16 byte header.

8B 7E F8 6C 80 31 C0 81 FD AD 0F AA AC 62 85 1D

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 10 March 2016 - 01:37 PM

 

Sorry, the notification for this topic must've been buried.

 

Definitely CryptoWall 4.0 I'm afraid. All 4 files have the same 16 byte header.

8B 7E F8 6C 80 31 C0 81 FD AD 0F AA AC 62 85 1D

 

Thanks!  That is both good news and bad, because we have none of the ransom note files you would expect to see with CryptoWall.  I thought it dropped a ransom note in each folder as it progressed through the folder tree.  Does it only drop the ransom notes after it has completed?  That would make more sense in our scenario if it got interrupted before it was able to complete.  We have restored the data from backup, but are still searching for the source of the file encryption.  All of the files are owned by one person at a remote site which would seem to be the smoking gun, but that person's PC is clean with no evidence of similar activity.



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 AM

Posted 10 March 2016 - 02:08 PM

Most ransomware will delete itself after it finishes, making acquisition of a sample that much harder. That is odd that the ransom notes are not there, as it will typically write them to the folders as it progresses. I have seen some antiviruses grab the ransom notes and remove them though, that's certainly one possibility (even when it fails to detect the ransomware itself).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 10 March 2016 - 02:52 PM

Most ransomware will delete itself after it finishes, making acquisition of a sample that much harder. That is odd that the ransom notes are not there, as it will typically write them to the folders as it progresses. I have seen some antiviruses grab the ransom notes and remove them though, that's certainly one possibility (even when it fails to detect the ransomware itself).

 

We run SEP, and there were no detections logged of interest anywhere in the company during the date range that the files were encrypted.  It's a real mystery!  I appreciate the feedback.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:31 AM

Posted 10 March 2016 - 04:32 PM

Since the infection is confirmed as CryptoWall 4.0, please refer to this topic.Rather than have everyone start individual topics, it is best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users