Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surprise Ransomware Support and Help Topic (.surprise, .tzu extension)


  • Please log in to reply
138 replies to this topic

#16 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 AM

Posted 10 March 2016 - 09:11 PM

Sorry to hear about that jimyolsen but as noted in Post #11 by Grinler, the site owner of BC...

....at this time there is not much we can do for you. The command & control server appears to be down and the encryption itself is secure. If the C2 comes up, we can try and do more.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#17 jimyolsen

jimyolsen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 10 March 2016 - 09:48 PM

Thanks quietman7 for your reply.

 

I read Grinler post and i understand that nothing to do at this moment, but i am offering myself again to provide as much info as i can to try to find a solution.
 
I am trying to find how can i got infected and by now i found that the encryption process started at 10/03/2016 22:19:19 (first file encrypted) and i found the surprise.exe file created 10/03/2016 22:18:59 but modified 10/03/2016 17:31:38.
 
Probably this information is not relevant but at those times i didnt execute any particular program. It was running few firefox windows, the wamp server
 process and appart from dropbox process, mega process and some others, nothing else that can be relevant, so i still dont know how could i got infected.
 
Still searching HOW!!
 
Thank you

Edited by jimyolsen, 10 March 2016 - 09:48 PM.


#18 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 AM

Posted 10 March 2016 - 09:56 PM

I understand and that is why we appreciate everyone sharing their experiences in all these ransomware discussion topics.

You may want to read section :step2: in this topic whichs explains the most common methods Crypto malware and other forms of ransomware is typically delivered and spread. I keep updating it as new information comes to light.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#19 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 AM

Posted 10 March 2016 - 10:54 PM

 

I am trying to find how can i got infected and by now i found that the encryption process started at 10/03/2016 22:19:19 (first file encrypted) and i found the surprise.exe file created 10/03/2016 22:18:59 but modified 10/03/2016 17:31:38.

 

Can you upload surprise.exe to Malwr.com and PM me the hash/link? You can also submit it here for Grinler to take a look. You may have one with a new command server if it started encrypting your data today.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#20 jimyolsen

jimyolsen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 11 March 2016 - 04:58 AM

Hi Demonslay,

File sent following your instructions.

 

I just still dont know how can it could start, because i didnt execute myself, even more i wasnt working at that time. Could the attack bypass router and firewall and be executed on remote by someone?

 

Another question, Whats the percentage amount of probability to recover the files? 0,0% ?

 

Thank you all



#21 AliasNeo

AliasNeo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 11 March 2016 - 06:15 AM

Hello,

 

I got the same problem – all my files on a server are encrypted and the extension is changed to .suprise. I have the same .txt file with instructions on how to pay.

Can one of your experts help us? Should I open a new topic or can we do it here?

 

Cheers



#22 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 AM

Posted 11 March 2016 - 06:45 AM

There is no need to start a new topic.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if everyone posted any questions, comments or requests for assistance in this support topic discussion.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#23 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 AM

Posted 11 March 2016 - 10:15 AM

I've assessed the sample from @jimyolsen and @AliasNeo. It was a new C2 server, but the panel is down.

 

We aren't sure of how this one is spread quite yet. A few of the other EDA2 variants were manual hacks, so that is possible. Did the machine affected have access to RDP or another remote method via the web? The scenario you describe is theoretically possible if your Windows edition doesn't have all updates. I've heard of something like that with a fresh-load, pre-SP1 Windows 7 using an RPCSS service exploit, but it is highly unlikely. that would only be possible if ports are forwarded to your device, as the firewall will not let anything directly through otherwise.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#24 AliasNeo

AliasNeo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 11 March 2016 - 10:42 AM

The affected PC is a Windows XP 2002 SP 3, RDP is not enabled.

 

BUT it does have TeamViewer installed, and I found a log file saying someone connected at about the same time our PC was “hacked”.

The TeamViewer connection comes from the same user that usually connected from the firm I mention in the PM that supports the software.



#25 jimyolsen

jimyolsen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 11 March 2016 - 10:49 AM

Hi Demonslay,

First of all thank you for interest on this issue.

 

About the C2 server should we know what is such server? When you say the panel is down means that is not infecting anyone else right now?

 

I am still searching how could i been infected trying to reproduce all the steps i did yesterday. Didnt execute any new .exe file so this hypotise is invalid. What i did to work with some .zip and .rar files but after checked them today nothing wrong found it.

 

The OS used is W7x64 SP1 with all the updates installed. At the time of the exploit the default Windows RDP was turned on (now is off)

What i have installed is a wamp server to work with web enviroments and, yes the port 80 is redirected to this machine at the router level, to allow access from the internet to this server sometimes. 

I use to care and have the wamp server setting (put online/ put offline) most of the time offline, but yesterday i was online at that moment. Could it be this the cause of the exploit?

 

What i noticed is that by default when i turned on the computer it loaded the windows desktop right away without the userpassword screen, and since the attack everytime i reboot the PC i have to click the user login screen. FYI There are only one user without windows password so it is very strange.

 

 

I am not sure if this system is secure or not yet. 

 

Thank you very much



#26 jimyolsen

jimyolsen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 11 March 2016 - 11:41 AM

OOOOHHHH SHIIITTTTT!!!!

 

I got where it came from. I forgot the f*cking teamviwer. Thanks to the post of AliasNeo, i have checked the teamviewer log file  and voila!!! here it is:

 

GWOmn0u.jpg

 

 

WTF !!!!!

 

As you can see in the log image i was under control by someone else. I saw in the log also some other attemps to control this machine but (pending of deeper analyse) nothing as sirous as this attack.

 

 

Any suggestion on what steps to follow now?

 

I will keep posting more news.

 

Thank you



#27 radiocaf

radiocaf

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 11 March 2016 - 12:01 PM

Me too! I just checked my TeamViewer and it has the following:

 

2016/03/07 22:09:02.021  5192  5196 G1   - File transfer request from Carl (479 441 239) allowed

2016/03/07 22:09:02.119  5192  5196 G1   - Views folder <root drives>
2016/03/07 22:09:03.715  5192  5196 G1   - Views folder <root drives>
2016/03/07 22:09:05.067  5192  5196 G1   - Views folder C:\Users\Carl\Desktop\
2016/03/07 22:09:10.510  5192  5196 G1   - Processing file transfer...
2016/03/07 22:09:10.511  5192  5196 G1   - Write file C:\Users\Carl\Desktop\surprise.exe
2016/03/07 22:09:11.265  5192  5196 G1   - File transfer finished.
2016/03/07 22:09:11.268  5192  5196 G1   - Views folder C:\Users\Carl\Desktop\
2016/03/07 22:09:12.879  5192  6732 G1   Ending CFileTransferThreadServer... 
2016/03/07 22:09:12.880  5192  6732 G1   The CFileTransferThreadServer has ended. 
2016/03/07 22:09:12.880  5192  5196 G1   - File transfer server shut down.

 

I have now uninstalled TeamViewer.

 

Please tell me this can be fixed, I moved my pictures of my newborn daughter onto my computer and they all got encrypted before I could back them up to the NAS.

 

I need them back. :'(



#28 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 AM

Posted 11 March 2016 - 01:55 PM

Anyone who still has a suprise.exe and hasn't done so, please upload them to Malwr.com and send me a link. We can only hope a C2 server is still up. There's no way of reversing the encryption itself I'm afraid.

 

If you have TeamViewer, you should at the minimum change all passwords, and make sure they are secure passwords. Make sure TeamViewer is fully updated, and that all other software is updated.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#29 radiocaf

radiocaf

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 11 March 2016 - 02:59 PM

Anyone who still has a suprise.exe and hasn't done so, please upload them to Malwr.com and send me a link. We can only hope a C2 server is still up. There's no way of reversing the encryption itself I'm afraid.

 

If you have TeamViewer, you should at the minimum change all passwords, and make sure they are secure passwords. Make sure TeamViewer is fully updated, and that all other software is updated.

So should I just delete the files? Absolutely no way of getting them back?



#30 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:12 AM

Posted 11 March 2016 - 03:25 PM

@raidocaf

 

If you still have the surprise.exe, you can submit it for me to look at to see if the server is active.

 

So far, there is no way of breaking the encryption itself, but with it still being new, you never know if we find another way through other channels. At worst, it is always recommended to backup the encrypted files and hope for a solution in the future.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users