Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Samas Ransomware Support and Help Topic - HELP_DECRYPT.txt .encedRSA


  • Please log in to reply
105 replies to this topic

#1 dr2i4ve

dr2i4ve

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 12 March 2016 - 05:57 PM

Our network was attacked and now all files are encrypted with .encedRSA at the end of them. It left behind a HELP_DECRYPT file. All shadow copies deleted and EVEN formatted a NAS device that held additional Storagecraft backups...
 
Could really use some help here gents :(
 
Below is what the HELP file contains.
 
#What happened to your files?
All your files encrypted with RSA-2048 encryption, For more information search in Google "RSA Encryption"
 
#How to recover files?
RSA is a asymmetric cryptographic algorithm, You need one key for encryption and one key for decryption
So you need Private key to recover your files.
It's not possible to recover your files without private key
 
#How to get private key?
You can get your private key in 3 easy step:

Step1: You must send us 1.7 Bitocin for each affected PC OR 22 Bitocin to receive ALL Private Keys for ALL affected PC's.

Step2: After you send us 1.7 Bitocin, Leave a comment on our Site with this detail: Just write Your "Host name" in your comment

*Your Host name is: SERVERNAME


Step3: We will reply to your comment with a decryption software, You should run it on your affected PC and all encrypted files will be recovered

*Our Site Address: http://roe53ncs47yt564u.onion/east3/

*Our BitCoin Address:136hcUpNwhpKQQL7iXXWmwUnikX7n98xsL

(If you send us 22 Bitocin For all PC, Leave a comment on our Site with this detail: Just write "For All Affected PCs" in your comment)
 
How To Access To Our Site
For access to our site you must install Tor browser and enter our site URL in your tor browser.
You can download tor browser from https://www.torproject.org/download/download.html.en
For more information please search in Google "How to access onion sites"
 
# Test Decryption #
Check our site, We generated a decryption software for one of your computer randomly, Don't worry it's not malicious software.
If you afraid to run "Test Decryption" software, You can run it on a VM(Virtual machine), also you need some encrypted file in VM from test computer
 
#Where to buy Bitcoin
We advice you to buy Bitcoin with Cash Deposit or WesternUnion From https://www.bitquick.co/buy-2.php or https://coincafe.com/buybitcoinswestern.php
Because they don't need any verification and send your Bitcoin quickly.
 
#deadline
You just have 7 days to send us the Bitcoin after 7 days we will remove your private key and it's impossible to recover your files

Edited by Grinler, 12 March 2016 - 06:22 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:43 PM

Posted 12 March 2016 - 06:01 PM

Can you provide a few sample encrypted files? The extension sounds familiar, but can't find which one I'm thinking of. HELP_DECRYPT would make me think CryptoWall, but it doesn't add an extension.

 

I would suggest running HitmanPro and MalwareBytes to try finding the malware. If you can track it down somehow, through browser history, event logs, or emails, we can have someone assess it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:43 PM

Posted 12 March 2016 - 06:20 PM

Was the NAS device connected to a drive letter?

Also any chance you have a sample of the installer?

#4 dr2i4ve

dr2i4ve
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 12 March 2016 - 06:25 PM

Can you provide a few sample encrypted files? The extension sounds familiar, but can't find which one I'm thinking of. HELP_DECRYPT would make me think CryptoWall, but it doesn't add an extension.

 

I would suggest running HitmanPro and MalwareBytes to try finding the malware. If you can track it down somehow, through browser history, event logs, or emails, we can have someone assess it.

Demonslay335 - I have submitted the HELP_DECRYPT file and a few of the ENCEDRSA files that are actually encrypted. I cannot believe my NAS devices holding Storagecraft backups were detected and wiped from this as well... had to of required some manual user detection and deletion.  Any help would be greatly appreciated.

 

I just ran Malware Bytes on one of the servers and it came back with nothing. Looking into HitmanPro now.



#5 dr2i4ve

dr2i4ve
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 12 March 2016 - 06:27 PM

Was the NAS device connected to a drive letter?

Also any chance you have a sample of the installer?

The NAS devices was not a local / mapped drive to any of the servers. The only way you'd know about it would be from opening Image Manager on the server and seeing the backup destination. The NAS device runs Windows OS. I had all the backups residing on a D: drive and that drive is completely empty now.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:43 PM

Posted 12 March 2016 - 06:41 PM

This appears similar to Samas .encryptedRSA Ransomware which also drops a ransom note named HELP_DECYPRT_YOUR_FILES.HTML.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:43 PM

Posted 12 March 2016 - 06:45 PM

That's the one I was thinking of, couldn't find that topic for some reason.

 

@dr2i4ve

 

If you follow some of the advice in that topic, you may be able to hopefully find the dropper so it can be properly analysed. Looks like a sample wasn't acquired before.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 dr2i4ve

dr2i4ve
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2016 - 08:21 AM

No luck on finding the installer yet. May have found the initial computer though so I'll search that more.



#9 dr2i4ve

dr2i4ve
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 15 March 2016 - 09:06 AM

Has anyone else ran across this ransom virus the past few days?

 

I had to pay the ransom for a server and just started the decrypt process the other day. When the encryption process starts, it copies back the original file and keeps the encrypted file so I essentially need 51% free space on my server to do the unencrypt process. Is this normal? It's taking extremely long because of this. Here are the instructions that were sent with the decrypt

 

How to use privateKey? Use blow example:
 
In 3 stpes:
 
1- Your free drives space must be bigger than used drives space, For example if you used 5 gigs of your D: drive, you need at least  5.1 gigs free space
 
2- to decrypt Test PC, Run Decrypt.exe Test_PrivateKey.keyxml
 
3- After decryption finished, You should verify that your files decrypted successfully
 
4- Now you can delete encrypted files, Run delete.exe to delete encrypted files
 
 
TIPS:
1- Run as administrator
 
2- Use a big ram system
 
3- Dot net must be installed(ver 2)
 
4- If you get error, Comment your error and your OS version


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:43 PM

Posted 15 March 2016 - 09:12 AM

@dr2i4ve

That's pretty normal for decrypters to be on the safe side, the legitimate ones will do that by default too. It's best so that you can verify the decryption works. For some ransomwares, there is no way of properly telling if the key worked without trying it really, data can be corrupted if the key passes the padding check but still isn't correct.

 

Could you upload the decrypter to Malwr and post the link? We could at least analyse it to see what encryption scheme they are using to give us a better clue on how the ransomware works since the malware itself has been elusive.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 DanielGallagher

DanielGallagher

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 15 March 2016 - 01:43 PM

This appears similar to .encryptedRSA Ransomware which also drops a ransom note named HELP_DECYPRT_YOUR_FILES.

 

I strongly agree that this is the same ransomware detected as Samas or Samsam. I have VTi alerts set up to watch for new submissions and recently saw new ones come in. I will start hunting to confirm.



#12 dr2i4ve

dr2i4ve
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 15 March 2016 - 03:20 PM

I have found some related files to this virus. ON the C:\Windows there is a file called bilkaner.exe and in the description it says -

 

File Description MiCro Oragns
Original Filename MIKOPONI.exe
There is also a cfgall file that shows some info about the encryption. I'll submit those.
 
The publickeys reside in that same location as well. Will submit those.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:43 PM

Posted 15 March 2016 - 04:33 PM

Thanks to @DanielGallagher and @MalwareHunterTeam for helping me acquire a sample to analyse. We've confirmed this is an evolution of the .encryptedRSA Ransomware, with a few more silly obfuscation tricks that makes it a little harder to read (adding random repeated letters to variables, encoding most strings in hex and decoding at runtime).

 

While this is a C# project, I don't believe it is derived from HiddenTear/EDA2 much; if it is, they've greatly changed 90% of the code. They've interestingly called this one MIKOPONI, and it is based off of the SAM Ransomware.

 

Confirmed files are appended with ".encedrsa", and leaves "HELP_DECRYPT_YOUR_FILES.html" as ransom note.

 

No C2 server is involved; the malware is directly passed a public RSA key via command line from the batch file executable. Seems to be ran from systems that are manually hacked, and then the attackers laterally move about the network. Everyone may have the same public key if it is distributed any other automated way.

 

All available drive letters are enumerated, and the following extensions whitelisted for encryption.

.vb, .asmx, .config, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .tif, .tlg, .txt, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .db, .db-journal, .db3, .dcr, .dcs, .ddd, .dbf, .dbx, .dc2, .pbl

While iterating files, it generates a list of really large files, and encrypts those last; this way, it encrypts the most files possible before being interrupted, bothering with files larger than 250MB only afterwards (then 500MB, then 1GB, then 1GB+)

 

Files are encrypted with a securely random 16-character key using AES-128 CBC mode for each individual file. This key is encrypted with RSA-2048, and embedded in the header of the encrypted file. The original file is then deleted. HMAC is used for key signing (this subject is over my head currently on how that works).

 

Skips Windows and Program Files directories, the Recycle Bin, and any .ini, .sys, or .dll files.

 

Deletes itself using a batch file after it is done.

 

Interestingly, the earlier variant specifically skips Windows 2000, but they remove usage of that function in this version.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 dr2i4ve

dr2i4ve
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 15 March 2016 - 05:33 PM

Demonslay335 - 
 
That sounds exactly like the file that I found and submitted (Bilkaner.exe). 
 
Can you explain what no C2 server involved means? I never found where the initial infection came from... any ideas on how this originates or arrives? With that being said, I still have an uneasy feeling that something could be lingering on a machine showing no symptoms. On anything that showed HELP_DECRYPT files I have formatted the drives.
 
I had a few other symptoms from this. On a 2003 Windows Server that hosts an old application of ours... the files were encrypted and the IIS was removed. Webroot found 'sqlsrvtmg1' on a few of the infected machines. That file and a publickey file were also on a few domain controllers C:\Windows but those did not have any encrypted files?

Edited by dr2i4ve, 15 March 2016 - 05:35 PM.


#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:43 PM

Posted 15 March 2016 - 05:42 PM

 

Demonslay335 - 
 
That sounds exactly like the file that I found and submitted (Bilkaner.exe). 
 
Can you explain what no C2 server involved means? I never found where the initial infection came from... any ideas on how this originates or arrives? With that being said, I still have an uneasy feeling that something could be lingering on a machine showing no symptoms. On anything that showed HELP_DECRYPT files I have formatted the drives.
 
I had a few other symptoms from this. On a 2003 Windows Server that hosts an old application of ours... the files were encrypted and the IIS was removed.

 

 

Yep, it was your sample that was shared I'm pretty sure. :wink:

 

By having no C2 server, the key is never sent up to a server with a database of any sorts. This means nothing could intercept the network traffic to maybe grab the key (if you even have network logging), nor could we try to "hack" a server. This ransomware is run more or less completely manually. The hacker most likely had direct access to your server, generated an RSA key pair on their end, and passed the public key to the malware to start its task. Very interesting that IIS was tampered with, that could have been from spite perhaps.

 

You should not have a Windows Server 2003 anywhere near an Ethernet cord that connects to the internet. There are tons of exploits in the wild for it since Microsoft dropped support of it last July. According to a McAfee report shared with me, they may have used some type of Active Directory exploit the server.

 

Any type of RDP is most likely compromised if the port is internet-facing. You should run RDP on a random port, have an extremely hard password, and white-list IPs that have external access. Better yet, don't forward RDP from the firewall at all, and use VPN to connect to the LAN for local RDP access.

 

You can check your system for a "del.bat", this is the script it uses to remove itself after it finishes encrypting data. Otherwise your system *may* be clean, but you can post a topic in the Am I Infected forums if you'd like someone to help confirm.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users