Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.sshxkej Ransomware - encryped_list.txt


  • Please log in to reply
16 replies to this topic

#1 bgen5pax

bgen5pax

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 20 March 2016 - 08:02 AM

Hello guys,
 
I'm researching a recent infection on behalf of a friend who managed to get infected by a unknown (so far) ransomware and doesn't know how he got it. The symptoms are the following:
 
1. Desktop wallpaper changed
2. Encrypted files ending with .sshxkej (couldn't find anything on google) usually .docx, .xlsx, .jpg, .svg, thumbs.db but some of them are spared (ie not encrypted).
3. Each folder contains a file named encryped_list.txt (sample provided)
4. Encryption key located in user documents folder
 
All the above are posted on a shared folder here
Malwarebytes Anti-malware (trial) did not spot anything wrong (full scan).
Microsoft security essentials did not spot anything either (full scan).
OS is Win7 x64 Ultimate.
 
I'd be greatful if somebody helped me out with this mess.
 
Thank you in advance,
 
Chris

BC AdBot (Login to Remove)

 


#2 kaljukass

kaljukass

  • Banned
  • 291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 AM

Posted 20 March 2016 - 09:03 AM

What files and folders are encrypted.
Send a specific location.
For example:
C:\Users\{username}\Documents - all folders and all files or only some of them are encrypted ...

 

And more - does your friend opened before it some strange files, pdf documents, bills, or something other, maybe some strange blank email? Or were redirected to somewhere?


Edited by kaljukass, 20 March 2016 - 09:04 AM.


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:05 PM

Posted 20 March 2016 - 09:37 AM

Hi bgen5pax,
 
Does the computer which was hit happen to be a server/used as a server?
 
xXToffeeXx~


Edited by xXToffeeXx, 20 March 2016 - 09:37 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 bgen5pax

bgen5pax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 20 March 2016 - 09:50 AM

Thank you guys for the prompt response.

 

C:\Users\{username}\Documents, C:\Users\{username}\Desktop GoogleDrive are some examples of infected folders, but as I already noted, not ALL files of a particular kind are encrypted therein. You can still find .jpg or .docx unaffected inside these folders. I'm not aware of the way he became infected and neither does he.

 

No, the PC is not used as a server but it does map a remote shared drive from a file server which was promptly shut down to prevent spread of infection (don't know if it has hit it already). 



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:05 PM

Posted 20 March 2016 - 09:56 AM

Hi bgen5pax,
 
We'll need the malware file in that case. I would see if there were any attachments from emails (especially js/doc files), and check %temp% and %appdata% for any suspicious exes. If you find anything, please upload it here and we can check it out.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 bgen5pax

bgen5pax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 20 March 2016 - 11:55 AM

Searched for files modified both today and yesterday and found nothing suspicious. Thunderbird is the default mail client and although profile folders are touched, no wierd emails are on sight. IE caches had plenty of cookies set, but couldn't spot anything unusual. %temp% and %appdata% had no .exe, .scr, .com within this timeframe before or after 10:35 when it seems the encryption took place.

msconfig doesn't show any suspicious startup items or services nor does Run, Runonce registry keys on both Windows\Currentversion AND Wow3264Node subkeys.



#7 kaljukass

kaljukass

  • Banned
  • 291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:05 AM

Posted 20 March 2016 - 02:54 PM

Then it is clear that it is not a virus and not even ransomware. Somebody has made some samples of how the thing works.
Make backup of clean files to somewhere else, not into the computer. And just in case a new clean installation. (Wipe everything, format and reinstall).
Then you can use files, when things are checked.
Probably in the computer isn't nothing dangerous, but just in case I'm recommend cleaning.
 
NB! It's worth thinking about how this situation arose, because it can happen again.

Edited by kaljukass, 20 March 2016 - 02:56 PM.


#8 bgen5pax

bgen5pax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 20 March 2016 - 03:56 PM

Thanks kaljukass,

 

There must be something nasty lurking though or else these files wouldn't be encrypted in the first place. Thankfully, recent backup exists so my friend will be formating soon.

I'll keep my eyes open as to how it came about and I'll recommend a good anti-malware solution to him.

 

Thank you all for the support.



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,556 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 PM

Posted 20 March 2016 - 08:29 PM

You can run HitmanPro and post the log for checking if it picks up on anything. If it does, it will allow us to point you to what to upload for analysis.

Also since you mention having backups, a before and after may be helpful to check for partners in the encryption. PNG, JPG, and TXT are best.

Edited by Demonslay335, 20 March 2016 - 08:32 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 bgen5pax

bgen5pax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 21 March 2016 - 02:52 PM

HitmanPro didn't spot anything either. My friend told me that on 10:30am, Sunday 20/3, while he was on a RDP session with his office PC (where it all took place) from his home, suddenly he lost contact as if someone else took up his session. He immediately phoned his office in case a colleague had physically assumed control over it but nobody answered. When he resumed his session a few minutes later he was confronted with the screen I posted and the damage was already done. Searching the TerminalServices-LocalSessionMnanager eventlog he found that somebody has used his credentials and gained access through RDP. The IP was registered in the Netherlands.

Thankfully, the file server which had its shares mapped on the infected PC is unharmed. He promptly changed his passwords everywhere and scanned his home PC for malware but found nothing disturbing (except for 1 PUP). I told him to sample some encrypted .jpg, .xml, .docx and pair them with their unaffected counterparts after he completes the restore from backup process.

I will upload them as soon as I have them.

 

Thanks again for your time and effort.



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,556 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 PM

Posted 21 March 2016 - 02:58 PM

Ah, so another case of RDP hacking. That will need to be addressed; get the RDP off the standard port 3389, strengthen all password conventions, and white-list RDP traffic if at all possible. Better yet, ax the RDP port forwarding, and setup VPN, with local-only RDP access.

 

Having the before/after sample will be helpful. Sometimes there may be slip-ups with these manually-ran ransomwares in how it runs. If it encrypted everything in a matter of a few minutes, then hopefully it wasn't a really strong encryption (or even encryption at all, seen a few fake ones lately).

 

The ransom note looks very similar to CTB-Locker's style, but I've not heard of that going through manual hacks (yet).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,556 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 PM

Posted 21 March 2016 - 03:08 PM

The hackers had to have either downloaded a file through a browser, or copy/pasted a small program through the clipboard to the system (most likely). You could try using Recuva to recover any newly created files on the server, looking for anything suspicious and created around the reported time. Also audit all browser sessions for that time. I don't know of many other ways to audit activity of that RDP session.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 bgen5pax

bgen5pax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 21 March 2016 - 03:09 PM

Thank you Demonslay for your quick response. As I said earlier, not all files of a particular kind were encrypted even if they were located in the same folder, ie some .docx or .jpg were "spared" some others not. Seems like the attacker was a bit hasty.

I'll help my friend tighten the RDP security as per your instructions when the restore is done and get back to you with the files for cryptanalysis.



#14 DanielGallagher

DanielGallagher

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 21 March 2016 - 03:56 PM

HitmanPro didn't spot anything either. My friend told me that on 10:30am, Sunday 20/3, while he was on a RDP session with his office PC (where it all took place) from his home, suddenly he lost contact as if someone else took up his session. He immediately phoned his office in case a colleague had physically assumed control over it but nobody answered. When he resumed his session a few minutes later he was confronted with the screen I posted and the damage was already done. Searching the TerminalServices-LocalSessionMnanager eventlog he found that somebody has used his credentials and gained access through RDP. The IP was registered in the Netherlands.

Thankfully, the file server which had its shares mapped on the infected PC is unharmed. He promptly changed his passwords everywhere and scanned his home PC for malware but found nothing disturbing (except for 1 PUP). I told him to sample some encrypted .jpg, .xml, .docx and pair them with their unaffected counterparts after he completes the restore from backup process.

I will upload them as soon as I have them.

 

Thanks again for your time and effort.

 

Is it possible to get the IP address that possibly took over the session? 



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,556 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 PM

Posted 21 March 2016 - 06:52 PM

I did notice the string "CRYPTOCONTAINER" at the end of the supposedly encrypted file. I'm wondering if this (and possibly the characters afterwards) is present in other .sshxkej files.

 

2016-03-21_1856.png


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users