Lawrence Abrams
Posted 07 March 2016 - 09:34 AM
Ransomware Hunter
Posted 07 March 2016 - 10:01 AM
Do we know if filenames are altered, or is this another one that's hard to determine the magnitude of affected files? I'm interested in seeing a few samples of encrypted files if someone has some (for archiving and analysis).
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 07 March 2016 - 10:07 AM
Do we know if filenames are altered, or is this another one that's hard to determine the magnitude of affected files? I'm interested in seeing a few samples of encrypted files if someone has some (for archiving and analysis).
I agree. I would like to know the filename pattern and extensions it uses, to protect our file servers, write custom mcafee vse rules, etc....
Edited by nintendo1889, 07 March 2016 - 10:08 AM.
Lawrence Abrams
Posted 07 March 2016 - 11:02 AM
Posted 07 March 2016 - 04:48 PM
Writing up a detailed analysis now, but encrypted files are changed to .encrypted.
Good, I already have a *.encrypted rule.
Lawrence Abrams
Posted 07 March 2016 - 05:15 PM
Ransomware Hunter
Posted 07 March 2016 - 05:28 PM
Very interesting, thanks for the analysis.
Does it actually encrypt the whole file, or only part of it? Also, is there a header added onto the file? I'd be interested in seeing a before/after just for signature archiving.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Ransomware Hunter
Posted 07 March 2016 - 05:34 PM
Found the analysis by Palo Alto Networks may have some more technical details on what I was asking.
This part sounds scary if they pull it off.
Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 21 May 2016 - 10:44 PM
Hi,
i uploaded files for testing it says that this type can be decrypted
what do i do from here?
Ransomware Hunter
Posted 22 May 2016 - 09:06 AM
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 22 May 2016 - 08:04 PM
We are drowning in information - and starving for wisdom.
Posted 23 May 2016 - 12:23 AM
Yeah sorry about that.. I read about it after I posted. Just that it came up somehow for keRanger when I uploaded files for testing. Not sure why.More likely you were hit by Crypt0L0cker if your files have .encrypted appended. KeRanger was short lived and only infected Macs.
0 members, 0 guests, 0 anonymous users
Back to top
