Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bank_Account_Summary.pdf.exe & WindowsUpdate.locked Ransomware Support Topic


  • Please log in to reply
5 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:07 PM

Posted 16 March 2016 - 12:46 PM

New ransomware found thanks to @siri_urz and with assistance from @malwrhunterteam.
 
Based on the HiddenTear project, this ransomware encrypts files with AES-256, and appends ".locked" to the file extension.
 
The ransom note is titled "WindowsUpdate.locked", and shows the following message.
 

All your files are now under my rule, Pay me some Bitconis and make them yours

 
The infection is a fake bank statement file title "Bank_Account_Summary.pdf.exe" that may come in though emails.
 
The payment site is a fake CryptoWall page: http://202.181.194.227/cryptowall
 
One interesting behaviour is it will try to ping the above site; if any of 10 pings fail, it will show a message.
 

Are you trying to fool me? Connect me to the Internet ;)

 
 
If anyone has been hit by this ransomware, please share a few sample encrypted files via PM. I may have a way to decrypt the files, but would like to confirm with some samples before officially stating that it will work.

Edited by quietman7, 30 August 2016 - 07:19 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:07 PM

Posted 16 March 2016 - 04:57 PM

We will have to be careful this one does not get confused with LOCKED Ransomware which uses the same .locked extension.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jostya

jostya

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 16 June 2016 - 11:34 AM

Привет! помоги с вирусом. Вирус зашифровал файлы. Попробуй их восстановить? 

Hello! help with the virus. The virus encrypts files. Try to restore them?


Edited by jostya, 16 June 2016 - 11:35 AM.


#4 Alex0070

Alex0070

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 16 June 2016 - 11:05 PM

Привет! помоги с вирусом. Вирус Зашифровал файлы . Попробуй их восстановить? 

Здравствуйте! помочь с вирусом. Шифрует вирус файлы . Попробуйте восстановить их?

Привет. Когда это было? Вы тоже с Казахстана?


Edited by Alex0070, 16 June 2016 - 11:20 PM.


#5 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 16 June 2016 - 11:42 PM

Привет! помоги с вирусом. Вирус зашифровал файлы. Попробуй их восстановить? 

Hello! help with the virus. The virus encrypts files. Try to restore them?

 

 

It is RAA Ransomware

http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/

 

For those who need support with this ransomware, we have a dedicated forum topic here:

RAA-SEP (.locked) Ransomware Help & Support Topic - !!!README!!!.rtf

 

 

 



#6 jostya

jostya

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 17 June 2016 - 12:24 AM

Привет. Когда это было? Вы тоже с Казахстана?

 

Привет. Да с Казахстана. Это  трагическое событие произошло вчера....

 

 

 

 

It is RAA Ransomware

http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/

 

For those who need support with this ransomware, we have a dedicated forum topic here:

RAA-SEP (.locked) Ransomware Help & Support Topic - !!!README!!!.rtf

Thank you






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users