Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troldesh/Shade (.better_call_saul/.breaking bad/.heisenberg/.xtbl/.ytbl) Topic


  • Please log in to reply
72 replies to this topic

#1 Sulley93

Sulley93

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 17 March 2016 - 08:40 AM

Update: 08/01/16
Mod Edit by quietman7




@all

There has been some confusion from the start with what is actually 2 different ransomwares that use the extension .xtbl. The topics have been renamed to help with sorting future victims between these two infections.

------------------------------------------------------------------------------------------------------------------------------------------

Troldesh/Shade

This ransomware renames files with the format Base64(AES_encrypt(original file name)).xtbl or may have .ytbl, .breaking_bad, or .heisenberg. Other extensions include .better_call_saul, .da_vinci_code.magic_software_syndicate and .windows10 (these are not currently included with the Kaspersky decrypter, and so are not decryptable yet).

An example of a Troldesh/Shade encrypted file would be "VTJGc2RHVmtYMSs3aHNzL1NSem5qMmlxUjhKVVR2SlA4dGhVQkFDV1R1TT0=.xtbl".

The ransom note left is README1.txt, README2.txt ... README10.txt.

This ransomware is decryptable. See this page: https://www.nomoreransom.org/decryption-tools.html

------------------------------------------------------------------------------------------------------------------------------------------

CrySiS

This ransomware does not rename files. It will only append filenames with something like .<id>.<email>.xtbl, .<id>.<email>.CrySiS or

.<id>.<email>.crypted.

An example of a CrySiS encrypted file would be "mypicture.jpg.id-12345678.Vegclass@aol.com.xtbl". There are several different email addresses, and a few very slight alterations on this format, but it still remains the same concept in general.

The ransom note left is How to decrypt your data.txt, How to decrypt your files.txt, or How to get data back.txt.

This ransomware is currently not decryptable.


 

Good Morning all,
Yesterday all my personal file (image and music) was encrypted by a Ransomware... I son't know how i get this malware!
All my file are encrypted and renamed like +6HmFrz34gdLAvMb74MvU5KNYwWaIoNkA-PYYDkVGwM=.BD61991CD74BB6479E3E.BETTER_CALL_SAUL and i found in the root folder of my partition a lot of .txt file called  README[n].txt (n=1 to 10)
In all that file is written:
 
All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
BD61991CD74BB6479E3E|0
to e-mail address decode99999@gmail.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the reserve email. You can get it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptorzimsbfbkx.onion/
Press Enter and then the page with reserve emails will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptorzimsbfbkx.onion.to/
http://cryptorzimsbfbkx.onion.cab/
 
I searched on google this file extension and i get only result of a film.
Today I scanned my pc with SpyHunter and i found a malware called Shade Ransomware 
I deleted it immediately
Now is there a possibility to decrypt my file?


Edited by xXToffeeXx, 02 August 2016 - 04:49 AM.


BC AdBot (Login to Remove)

 


m

#2 Coachwn

Coachwn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 17 March 2016 - 09:26 PM

First off I am new here and I have no desire to hide any information so that others can be helped.

 

So It started while I slept last night and did a really dumb thing. I left my laptop connected to the network here at my hotel where I have been staying lately for work. I woke up this morning to a black background with red text and tons of readme files. An example of the .txt file is here:

 

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
A7AB1CC5BD204DF0A7D5|0
to e-mail address decode99999@gmail.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the reserve email. You can get it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar:
Press Enter and then the page with reserve emails will be loaded.
2) Go to the one of the following addresses in any browser:
 
So I went to work and hooked into the network in safe mode and called my work IT department and started searching on my own. I came across the MalwareTeam on Twitter and posted some information and was pointed here. After using malwarebytes and HitmanPro I was able to get online but I still haven't been able to find a reliable decrypt for what we have now determined as Trojan.Crypt as the files that infected me. We also determined that it wasn't anything I did but rather a hack that beat down my firewall (windows) and took over the system a few minutes after I got offline last night. We found that out by searching through the various system logs in Windows. The final straw that broke my computer down happened about 2 hours after I went offline at about 10:50pm EDT US time. Well as the day progressed I figured that I might be able to help by getting a little lead on the people that did this. So I posted an email to the address listed above and got an email back shortly afterward that confirmed I was dealing with some idiots. Most of the files that are encrypted are pictures and it really pisses me off that they are encrypted because they deal with a time last year with my family that is very much a time for great celebration. But I digress.
 
So I got an initial ransom amount of $250 USD and I honestly believe that they will provide the files however the next email I sent asking for how to pay them resulted in the people behind the scenes asking for .9 bitcoin and they gave me a bitcoin wallet address. Well the current conversion rate made that almost $400 USD and I replied back with the amount they gave me originally and then they replied with a different rate of .76 bitcoin and said that they had to pay exchange fees and that would take away from their haul is my guess....well if you are trying to screw me over; well then screw you because you asked for $250...I still did not pay but I decided to enlist the help of some friends.
 
A friend of mine that works very closely with some 3 digit federal agencies that are very much against cyber crime and they have the headers on the email and as of 9pm EDT US after giving the email over at 8:30pm they have landed a physical address that apparently has been tagged in a database recently for this same thing. I am unsure if we are going to get the decryption information but at this point I would settle for a small amount of blood for the pain in the butt this has caused. My companies IT department is fairly certain that they can recover the data and they are ordering me a new laptop for work. I am going to keep this one and do my best with some friends help to try and recover the information. We shall see.
 
If anyone wants a copy of the encrypted files let me know and I will message them over to you along with whatever Kaspersky finds and the copies of the logs from malwarebytes.

Edited by Coachwn, 17 March 2016 - 09:27 PM.


#3 Coachwn

Coachwn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 18 March 2016 - 08:01 AM

All the files are listed with ".better_call_saul" at the end. I have not tried to change the file to a .crypto as that is what the name showed up as in malwarebytes.

#4 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:12:04 AM

Posted 18 March 2016 - 10:45 AM

All the files are listed with ".better_call_saul" at the end. I have not tried to change the file to a .crypto as that is what the name showed up as in malwarebytes.

Look at posts 627-630 of this topic:

 

http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/page-42


We are drowning in information - and starving for wisdom.


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:04 PM

Posted 18 March 2016 - 12:00 PM

This is a re-emergence of a ransomware called Shade according to @malwrhunterteam, actually not related to chicken-logo one like I had thought.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 18 March 2016 - 05:28 PM

I found Sulley93's topic in another forum and merged it with this one.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) and here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 mike 1

mike 1

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:08:04 AM

Posted 18 March 2016 - 05:54 PM

https://securelist.com/analysis/publications/72087/the-shade-encryptor-a-double-threat/


Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 18 March 2016 - 06:14 PM

I previously read that article...it appears to be a different (older) variant...“Troldesh”, aka Encoder.858 or Shade that adds computer’s ID with “.xtbl” and “.ytbl” extensions.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 19 March 2016 - 05:31 AM

In yesterday's attack better_call_saul used WSF script.

https://www.virustotal.com/ru/file/75782f96bb573b2d2da56e55d0534e8af15b22ce7a1c770486e28564a68331ce/analysis/

The contents of the script culled text comments,
+ Script fragment contains a block:

 

<Job>

<Script language = "JScript.Encode">

......................

......................
</ Script>
</ Job>

 

After running the script in the% TEMP% appeared arbitrary file * pif, who performed most of the work for the encryption, and created a copy of the encoder scrss.exe startup system.

https://www.virustotal.com/ru/file/269d6e7279412d47c6f911d08fdb9e52eb15088458c7c0902732758caf42db8d/analysis/

ESET-NOD32 Win32/Filecoder.ED

 

 

a few days ago for the infection better_call_saul used office document * .doc.

https://www.virustotal.com/ru/file/d0cdf6f62923b3a3531f6c6031deda390ff14c027256c9a07b11f3a00ca69fac/analysis/


Edited by al1963, 19 March 2016 - 05:35 AM.


#10 zorand

zorand

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 19 March 2016 - 05:50 AM

Hello everyone,

 

I had the same situation yesterday with better_call_saul encrypt software. Now all my personal photos are encrypted, 

I had uploaded one encrypted file for investigation http://www.bleepingcomputer.com/submit-malware.php?channel=3 

This is the first time I have encountered something like this, is previous post suggesting that the decoder is now available with ESET-NOD32?

 

Thank you.


Edited by zorand, 19 March 2016 - 05:54 AM.


#11 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 19 March 2016 - 06:43 AM

@zorand,

Filecoder.ED - it is just a classification of the encoder on the ESET terminology

ESET decoder at no.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 19 March 2016 - 07:23 AM

Yes, Win32/Filecoder is a crypto malware infection detected by ESET. According to their research lab, there are several different variants for which they add a modifier or additional information after the name that further describes what type of ransomware it is. Most of the Filecoder (Encoder) threat detections are more commonly identified as CryptoLocker, Cryptowall, and CTB locker but they are not actually all the same as those infections.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 zorand

zorand

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 19 March 2016 - 07:40 AM

 

First off I am new here and I have no desire to hide any information so that others can be helped.

 

So It started while I slept last night and did a really dumb thing. I left my laptop connected to the network here at my hotel where I have been staying lately for work. I woke up this morning to a black background with red text and tons of readme files. An example of the .txt file is here:

 

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
A7AB1CC5BD204DF0A7D5|0
to e-mail address decode99999@gmail.com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the reserve email. You can get it by two ways:
1) Download Tor Browser from here:
Install it and type the following address into the address bar:
Press Enter and then the page with reserve emails will be loaded.
2) Go to the one of the following addresses in any browser:
 
So I went to work and hooked into the network in safe mode and called my work IT department and started searching on my own. I came across the MalwareTeam on Twitter and posted some information and was pointed here. After using malwarebytes and HitmanPro I was able to get online but I still haven't been able to find a reliable decrypt for what we have now determined as Trojan.Crypt as the files that infected me. We also determined that it wasn't anything I did but rather a hack that beat down my firewall (windows) and took over the system a few minutes after I got offline last night. We found that out by searching through the various system logs in Windows. The final straw that broke my computer down happened about 2 hours after I went offline at about 10:50pm EDT US time. Well as the day progressed I figured that I might be able to help by getting a little lead on the people that did this. So I posted an email to the address listed above and got an email back shortly afterward that confirmed I was dealing with some idiots. Most of the files that are encrypted are pictures and it really pisses me off that they are encrypted because they deal with a time last year with my family that is very much a time for great celebration. But I digress.
 
So I got an initial ransom amount of $250 USD and I honestly believe that they will provide the files however the next email I sent asking for how to pay them resulted in the people behind the scenes asking for .9 bitcoin and they gave me a bitcoin wallet address. Well the current conversion rate made that almost $400 USD and I replied back with the amount they gave me originally and then they replied with a different rate of .76 bitcoin and said that they had to pay exchange fees and that would take away from their haul is my guess....well if you are trying to screw me over; well then screw you because you asked for $250...I still did not pay but I decided to enlist the help of some friends.
 
A friend of mine that works very closely with some 3 digit federal agencies that are very much against cyber crime and they have the headers on the email and as of 9pm EDT US after giving the email over at 8:30pm they have landed a physical address that apparently has been tagged in a database recently for this same thing. I am unsure if we are going to get the decryption information but at this point I would settle for a small amount of blood for the pain in the butt this has caused. My companies IT department is fairly certain that they can recover the data and they are ordering me a new laptop for work. I am going to keep this one and do my best with some friends help to try and recover the information. We shall see.
 
If anyone wants a copy of the encrypted files let me know and I will message them over to you along with whatever Kaspersky finds and the copies of the logs from malwarebytes.

 

 

Hello Coachwn,

 

any success so far? The same happened to me, and meanwhile, while trying to search for anything or anybody who can help, I have sent an

email to those criminals and now I am waiting for response.

 

Thanks everyone who's researching on this issue.



#14 zorand

zorand

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 23 March 2016 - 02:10 AM

I was able partially to recover my lost files, from old drives, etc. but at the end I have paid the ransom and got my files decoded/restored. 

If it helps, I could upload somewhere the decoder program that I received from criminals, but it is also detected as a malware by anti-malware software. 



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:04 PM

Posted 23 March 2016 - 05:29 AM

We understand some folks may feel they have no other alternative but to take a chance and pay the ransom in hopes of recovering irreplaceable photos and other personal or important data. That is a choice and a decision each affected victim has to make for themselves. We do not make any judgments for doing so and are glad to hear you were able to recover your files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users