Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

encrypted .rokku files and possible decryption?


  • This topic is locked This topic is locked
10 replies to this topic

#1 pronecros

pronecros

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 19 March 2016 - 01:54 PM

I've managed to get myself infected with a ransomware that looks like is encrypting files and renaming them with a .rokku extension.

 

.rokku seems to return no google search results so I'm not really sure what type of ransomware it is.

 

Is there anyone who could help me obtain the decryption key so that I could use it to decrypt the files?

 

I'm linking to an example encrypted file (alongside it's original version)  + their original infected zip and their decryption program: https://www.dropbox.com/sh/lmjzgq85dx2cy38/AAAoWAKlq-CnJIY_PVCJX6Usa?dl=0

 

This is the .txt file the ransomware adds to every directory in which it changes file extensions.

 

YOUR FILE HAS BEEN LOCKED
In order to unlock your files, follow the instructions bellow:
    1. Download and install Tor Browser
    2. After a successful installation, run Tor Browser and wait for its initialization.
    3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion

    4. Follow the instructions on the site. 

 

If you have any thoughts / ideas, or ways to find out the private encryption key I'd really appreciate it.

 

Thank you.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 19 March 2016 - 02:48 PM

What is the specific name of the ransom note?

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) and here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MalwareBlocker

MalwareBlocker

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Everywhere
  • Local time:04:49 AM

Posted 19 March 2016 - 02:55 PM

quietman7:

 

Ransom note names:

  • README_HOW_TO_UNLOCK.html
  • README_HOW_TO_UNLOCK.txt

Sample (UPX packed):

https://www.reverse.it/sample/438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499?environmentId=1

 

(Unpacked sample is currently FUD: https://www.virustotal.com/en/file/1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983/analysis/1458416841/ )



#4 pronecros

pronecros
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 19 March 2016 - 02:56 PM

Thank @quietman7 you for pointing out the two links. I'll add the files there and link back to this thread.

 

The name of the 2 files that have been created in every directory are: "README_HOW_TO_UNLOCK.HTML" and "README_HOW_TO_UNLOCK.TXT" - where the .txt file has exactly the content described in the first post and the html has the same thing just some html tags for formatting.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 19 March 2016 - 03:03 PM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 pronecros

pronecros
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 19 March 2016 - 03:10 PM

@quietman7 - having access to the dropbox files (first post), and the links to reverse.it and virustotla.com - should I still upload the files to http://www.bleepingcomputer.com/submit-malware.php?channel=3 and http://www.bleepingcomputer.com/submit-malware.php?channel=170 ?



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 19 March 2016 - 03:14 PM

Yes please.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 pronecros

pronecros
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 19 March 2016 - 03:27 PM

Done. Files submitted to both channels.



#9 campuscodi

campuscodi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:49 AM

Posted 31 March 2016 - 05:53 PM

I don't want to intrude on this topic, but I thought this link might help:

https://blog.avira.com/rokku-ransomware-made-professional/

 

If it's true that Rokku uses RSA-512 for its encryption, then this may also help:

http://arstechnica.com/security/2015/10/breaking-512-bit-rsa-with-amazon-ec2-is-a-cinch-so-why-all-the-weak-keys/


Edited by campuscodi, 31 March 2016 - 05:55 PM.


#10 pronecros

pronecros
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 01 April 2016 - 12:45 AM

Thanks @campuscodi for making these resource available. 

Now if  anyone knows that "recipe" for an amazon cluster that can break the RSA-512 encryption, I'm all ears. :)



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 06 April 2016 - 07:40 AM

There is now a support this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in the support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users