Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware - Identify What Ransomware Encrypted Your Files


  • Please log in to reply
342 replies to this topic

#271 slippingjimmy

slippingjimmy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 01 June 2017 - 08:39 AM

Hi

I have a customer who was hit by Ransomware recently.

It changed the files to a .exe extension.

For example:  file before is slippingjimmy.doc

file after is slippingjimmy.doc(!! to get password email id xxxxxxx to gmail address!!).exe

 

Anybody come across this before please.

I can provide more details if required



BC AdBot (Login to Remove)

 


m

#272 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 01 June 2017 - 08:47 AM

Hi

I have a customer who was hit by Ransomware recently.

It changed the files to a .exe extension.

For example:  file before is slippingjimmy.doc

file after is slippingjimmy.doc(!! to get password email id xxxxxxx to gmail address!!).exe

 

Anybody come across this before please.

I can provide more details if required

 

Did you upload the file to ID Ransomware? It would have pointed you to the correct topic, as it is ACCDFISA v2.0. Not decryptable.

 

http://www.bleepingcomputer.com/forums/t/618996/accdfisa-v20-ransomware-support-topic-filename-to-get-password-email-id-id-to-email-exerar/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#273 slippingjimmy

slippingjimmy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 01 June 2017 - 08:53 AM

Thank you Demonslay335 for the quick response.  



#274 matthias_philipp

matthias_philipp

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:56 AM

Posted 08 June 2017 - 04:28 AM

Hello,

ID Ransomware is not able to identify my encrypted files

"Please reference this case SHA1: 8709033acde90da8b63e814c48b329033a79bea6"

 

The attack took place on my linux webserver and only the tables of the mySQL database were encrypted.

In the dropbox is an encrypted file and the original of them, as well as the blackmail text.

 

https://www.dropbox.com/sh/mzlo5adv8kl298t/AAAnaizsB8rWiTvG3asvvrf1a?dl=0

 

I hope someone can help me,

Matthias

 

 



#275 Ponya777

Ponya777

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 17 June 2017 - 02:35 PM

Help decipher the database is not free

https://fex.net/950318436960



#276 geozava

geozava

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 18 June 2017 - 05:23 AM

Hello to everybody. Is there any information about the .jeteisf ransomware extension. This is not a very new ransomware, as it has been several months since I have been infected. The name of the file has not been changed. Only the extension. Please, any help would be appreciable. Thanks in advance


Edited by geozava, 18 June 2017 - 05:25 AM.


#277 stebonachi

stebonachi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 18 June 2017 - 08:23 AM

Hi there

 

Been hit with a ransomware virus/trojan and have tried everything to identify it. Have just been to the ID Ransomware site and it cannot identify it. Gave me the following reference: SHA1: 64b72ce48c560647d758632852cf360e80335d63

 

Changes all files to the following format (eg history.zip file): history.zip.ID-AU42F540838A2E9217[salocrypt@bigmir.net].encrypted 

Can provide link if required to infected/clean file versions.

 

The following is the ransom note ("How_To_Restore_Files.txt" on desktop):

 

Good day! You are trapped!
 
All your files (photos, databases, backups, etc) has been encrypted with AES256 and RSA1024 algorithms.
Your data is safe, but are unavailable at the moment. We and only we can help you to decrypt files, please contact us as soon as possible.
 
Write us to:
Primary email: salocrypt@bigmir.net
Reserve email: salocrypt@mail.bg
 
And send us your pesonal ID: AU42F540838A2E9217
 
Keep in mind:
- We are not scammers so we dont need your files.
- You can use data recovery companies who buying the keys from us, so you will overpay. We dont recommend to do it. 
 
We are sorry for inconvenience.
 
Can anyone help to identify? I have looked far and wide for assistance, and tried most decrypting tools available. 
 
Thanks in advance, apologies if I am posting in the wrong place.


#278 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 18 June 2017 - 11:43 AM

@geozava

 

Do you have a ransom note? I'm not familiar with that extension, and there is only one submission with it to ID Ransomware; I'm assuming it is just a random 7-character extension such as CTB-Locker.

 

@stebonachi

 

I'm not sure what ransomware that is, could be related to the Cry family just based on the filename pattern, but ID Ransomware would have picked up on a filemarker for a known variant. I don't see a filemarker similar to it either, so could be something new. We might need a sample of the malware to analyze any further.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#279 Ponya777

Ponya777

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 June 2017 - 02:03 PM

Hello everybody. Is there any information about the extension .wallets. I add a note with a vikup. Please, any help will be appreciable. thank you in advance

 

File name: Recover files .wallets

 

Yotabyte
====================================================================================================
 
YOUR FILES ARE ENCRYPTED!
 
Your personal identifier
0236175288070114448098024366574551205534290086430907408754618887712618041644900364570319054003387674
7133002947392016049117568109421809760194383022655043139477348876815098335007651695710700836836599881
7082467791123760352244794838765366409143535605955271092700610079773256785834567131823589074393219341
0259882041579418102449139318163504765018971962092917461750118075269859073101508340077216269730143545
8635578121533653212006925999453801813908448868663185209674894580193104189224687110507810598085534025
1004886237210647439135705818450510521669862339012254052439617051486835764183437961498282332238011005
710924456570586175
 
Your documents, photos, databases, save games and other important data were encrypted.
Data recovery requires a decryptor.
To get the decryptor. You need to write to yotabyte@protonmail.com for find out the cost of decrypting files
 
If you do not have bitcoins
 * Create a wallet Bitcoin: https://blockchain.info/en/wallet/#/signup
 * Get Crypto Currency Bitcoin:
   https://localbitcoins.com/buy_bitcoins (Visa/MasterCard, Paypal Visa Wallet and other.)
 
After payment, send an email to yotabyte@protonmail.com .
In the letter, enter your personal identifier.
 
In the reply letter you will receive a program for decryption.
After starting the decryption program, all your files will be restored.
 
Attention!
  * Do not attempt to uninstall the program or run antivirus software
  * Attempts to decrypt files by themselves will result in the loss of your data
  * Decoders of other users are incompatible with your data, as each user
Unique encryption key
 
====================================================================================================


#280 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:56 AM

Posted 19 June 2017 - 02:51 PM

If you had posted an encrypted file and the ransom note to ID-Ransomware, you would have gotten this response:

 

 

2 Results

 

Cry36
This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_email: yotabyte@protonmail.com

 

 

Not enough information is public about Cry36. Please check back later.

 

Amnesia2
This ransomware is decryptable!

Identified by

  • custom_rule: Encrypted size marker [0x00 - 0x08] 0x0430090000000000

 

Click here for more information about Amnesia2

 

Demonslay will be along at some point to help clarify which of the 2 ransomwares you actually have.

 

 

Edit: The Emsisoft Amnesia2 decryptor doesn't decrypt your files.


Edited by cybercynic, 19 June 2017 - 03:28 PM.

We are drowning in information - and starving for wisdom.


#281 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:56 AM

Posted 19 June 2017 - 05:13 PM

Of those two results, the filemarker would be the more reliable (it actually checks 4 file markers in that rule). It is most likely Amnesia2. I'm not at a place I can manually check the files though, that link was a rather large download.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#282 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:02:56 AM

Posted 19 June 2017 - 05:51 PM

Here is a link to a smaller file:

https://www.sendspace.com/file/l0drji


We are drowning in information - and starving for wisdom.


#283 KunalSingh

KunalSingh

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 21 June 2017 - 05:32 AM

Thanks For the info :bounce:  :bounce:



#284 kolonita

kolonita

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 21 June 2017 - 02:59 PM

i really need help and i can't post at the forums 

I tried this website but nothing shows it said Unknown ransomware

 

how to contact with someone who can really help - all my files has gone 



#285 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:56 AM

Posted 21 June 2017 - 03:08 PM

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users