Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Eclr Ransomware Support and Help Topic - README_IMPORTANT.txt


  • Please log in to reply
14 replies to this topic

#1 imseandavis

imseandavis

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 12:07 AM

Company got hit with a ransomware this morning and it spread to several systems. Haven't been able to track down the origin computer yet, just that it was wreaking so much havoc that it took down the network temporarily and that seem to stop the spread. Never seen a ransom so high before. I have included the details below:
 
Ransom Note: txt file named: README_IMPORTANT
YOUR FILES ARE FULLY ENCRYPTED
 
MAKE THE PAYMENT OF 100 BITCOINS TO THE BTC ADDRESS BELOW
3KHkWFDX9PDsaFRtrDKBGYd41HZWTu2L21
 
AFTER WE RECEIVE THE PAYMENT THE DECRYPTION PROGRAM AND KEY WILL BE SENT TO YOUR EMAIL
THE DECRYPTION PROGRAM WILL RESTORE YOUR FILES BACK TO NORMAL.
 
7399@sigaint.org
TO ASSURE YOU WE CAN RESTORE YOUR FILES, WE WILL DECRYPT A SINGLE FILE YOU SEND US.
 
## YOU HAVE 48 HOURS TO SAVE YOUR FILES ##
CONTACT US ONLY AFTER MAKING THE PAYMENT,
ALL PRICE NEGOTIATIONS WILL BE IGNORED
THE ABOVE EMAIL ADDRESS WILL EXPIRE AFTERWARDS AND NO COMMUNICATIONS WILL BE AVAILABLE
 
 
 
* In %localappdata% I'm seeing a file with 0 bytes called 9030138 that was created about the time we started seeing the virus. 
 
* Seems in propagated to several machines including our Exchange server. We had Symantec on all of our machines and was reported as SONAR.Cryrptolocker!g44
 
* All files have an .eclr extension appended
 
* I have a sample file I could upload for checking if needed as well.
 
Offsite backups are encrypted as well due to backups replicated offsite so recovery doesn't seem to be a very viable option for most of our stuff.
 
Any ideas or suggestions to the variant as well would be appreciated to determine what tools or options we may have.



BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 09 March 2016 - 12:34 AM

Definitely sounds new. Sorry to hear it hit your backups too - versioning is beginning to be a huge priority for backup strategy.

Can you post some sample encrypted files? Preferably a PNG, and if you have any that you happen to have a clean copy of (or something like the default Windows sample pictures).

The next priority will be tracking down a sample of the malware for analysis. How many systems are we talking here for isolating the problem system? The properties of the encrypted files should help steer you to the user who was affected, which may help determine the probable system(s).

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 imseandavis

imseandavis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 12:37 AM

Yeah I figured it was a new variant, especially because of the price and non negotiable terms. I have an XLS file I could upload somewhere but don't have a clean delta to compare yet until I see if I have a backup I can restore to get the original, I will see if I can grab a png or jpeg in the morning. System wise it looks to be about 40 (Windows) out of several hundred. Exchange and AD were among the inflicted. Obviously every file share I can find. What properties on the encrypted file can I look at to help point me in the right direction to the origin machine?



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 09 March 2016 - 12:43 AM

Youch, that's going to take some digging.

Usually, the owner of the file may be changed. Also, were just the shares hit, or actual non-shared data on the server? Could atleast determine whether or not the server itself was infected directly.

If it's feasible, I would almost suggest external scans on the systems before putting them back online (a live CD, or bridge drives to another system). Definitely backup everything not encrypted, save what you can in case it starts right back up.

This your network, or a client's? Just gauging how much access/time you'll have.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 09 March 2016 - 12:47 AM

Is the ransom note in every folder, or just one place? I've seen some of the "manual hack" ones tend to have just one ransom note on the desktop sometimes. Another thing to investigate will of course be the vector of attack. Are either of those servers open to RDP traffic online; if so, were they properly secured? Is there an external spam filter in place that tracks traffic before it gets to the Exchange server?

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 imseandavis

imseandavis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 12:50 AM

Clients system. I need to take a deeper look into the file specifics, it did look as if about 6 in the morning it took about 22 minutes to encrypt one machine and then moved in from there through shares. IT was more information agtehring and educating and trying to heard cats once it started so I'll have more time tomorrow to take a deeper look. For obvious reasons VPN has been disallowed and access is tightly controlled now. Do you have a recommendation of the best program to use to scan, I'm already in the process of trying to get the Foolish.it app loaded up and distributed to all endpoints and looking to see what else I can do to mitigate in the meantime. I'll also take a look at properties and see what I can come up with as well.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 09 March 2016 - 12:56 AM

I usually like to run HitmanPro and MalwareBytes Anti-Malware if you're in Windows, maybe even throw in MalwareBytes Anti-Rootkit for this one. I havent tried those in MiniXP before. I'm not as well versed with a boot CD with malware tools like I mentioned, but it would be the best way to go until you know what you're dealing with (and what machine(s) even). I believe I've seen Avast or Emsisoft make some bootable rescue tools.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 imseandavis

imseandavis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 12:58 AM

Awesome, thanks for the info I'll dig deeper and run some of the tools you mentioned and get back to you tomorrow and let you know what I've found. The files have also been submitted to Symantec as well for eval so I'll share what I find out from them as well.



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 09 March 2016 - 01:11 AM

Oh, I forgot you said Symantec picked up on something. Was if actually the malware? It might show what system it was caught on. If you submit it to VirusTotal and Malwr, you can post the hash here, and security analysts will have access to it without openly sharing the file directly in the public (which is of course dangerous). You can also submit it to the malware submission channel here on BC (on mobile and can't grab a link currently) so the crypo experts can take a look.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 AM

Posted 09 March 2016 - 06:03 AM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) and here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts as indicated by Demonslay335.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 imseandavis

imseandavis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 10:22 AM

Here is a copy of the virus cleanup dialogs from when we cleaned it. Also there is two files in every directory. a README_IMPORTANT.txt and secret.key

 

http://imgur.com/979kTzC

http://imgur.com/RiocMxj

 

I did see attempts in spiceworks that stuff was attempting to enter the network but was stopped several times from several places. I was told by an onsite contact all the machines have already been rebooted and they were unable to find where the origin machine was.

 

I will upload the files to the link already listed here for someone to review. I still have no received a image file for testing.



#12 imseandavis

imseandavis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 10:25 AM

I have submitted the keyfile, a sample encrypted file and the ransom note. Let me know what else you may need.



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:27 AM

Posted 09 March 2016 - 10:33 AM

If you can get that result00.exe safely from the quarantine (if it was deleted from quarantine, try Recuva to restore it real quick) and submit that, it might be useful. I tried manually grabbing the hash listed, but couldn't find a match on VirusTotal or Malwr; not 100% on if I got it right, a few 8's and B's look the same, tried a few combinations.

 

Is PDQ Deploy a software that is used on the network for deploying installs to the workstations? Looks like maybe it had a vulnerability that allowed an upload perhaps (my best guess based on the info given), or someone got access and dropped it in there. If that was the vector, that would make sense how it could be deployed to multiple computers. That's sneaky.


Edited by Demonslay335, 09 March 2016 - 10:34 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:27 AM

Posted 09 March 2016 - 01:21 PM

Yes, the result file would be nice to have.

#15 imseandavis

imseandavis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 01:37 PM

Requesting form the client now.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users