Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware - Identify What Ransomware Encrypted Your Files


  • Please log in to reply
329 replies to this topic

#316 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:49 PM

Posted 25 July 2017 - 04:44 PM

The limit is set in place by my host, so I can't really up it. I get unlimited storage, so I can't complain too much. :)

 

That's really the smallest encrypted file you have? That's rather odd, as most people just upload an encrypted picture or document that's less than 10MB. You can share it via any third-party sharing site such as Google Drive, Dropbox, Mega, or SendSpace, and post it here for manual identification. You may PM it to me if it is potentially confidential data (even though it's encrypted by malware anyways).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#317 lkjhgfdsa

lkjhgfdsa

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:49 AM

Posted 25 July 2017 - 05:35 PM

Thank you for your response.

 

It's all somewhat odd - whatever is going on started with the largest files, which happen to be .mov files. I've been working on a longer post with details but I'm going to PM you imminently because you might have an instant answer!



#318 celoownz

celoownz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 25 July 2017 - 05:39 PM

Please i need help
I was infected by a Ransomware and i dont know what is this.
The files has extension .aac

 

 

My ID

aac75b430bc7e9c4de0b980fd840d933475dad070ec12284068f5a2625c9f8e06fd



#319 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 25 July 2017 - 05:49 PM

....I was infected by a Ransomware and i dont know what is this.
The files has extension .aac
  
My ID
aac75b430bc7e9c4de0b980fd840d933475dad070ec12284068f5a2625c9f8e06fd

That extension was previously reported in this topic.

I'm not sure if Demonslay335 was ever able to find a sample of the malware file itself. If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#320 celoownz

celoownz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 25 July 2017 - 05:53 PM

 

....I was infected by a Ransomware and i dont know what is this.
The files has extension .aac
  
My ID
aac75b430bc7e9c4de0b980fd840d933475dad070ec12284068f5a2625c9f8e06fd

That extension was previously reported in this topic.

I'm not sure if Demonslay335 was ever able to find a sample of the malware file itself. If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here.

 

I used malwarebytes and i has the log

 

 

Chave de registro: 2
PUP.Optional.InstallCore, HKU\S-1-5-21-2570794179-3168083979-416921674-500\SOFTWARE\InstallCore, Quarentena, [3], [239563],1.0.2425
PUP.Optional.Lyrics, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\epojlgbehpaeekopencdagbdamnkppci, Quarentena, [7413], [240022],1.0.2425

Valor de registro: 4
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425

Dados de registro: 0
(Nenhum item malicioso detectado)

Fluxo de dados: 0
(Nenhum item malicioso detectado)

Pasta: 0
(Nenhum item malicioso detectado)

Arquivo: 3
Ransom.FileCryptor, C:\TMP\SVCHOST.EXE, Quarentena, [23], [401398],1.0.2425
PUP.Optional.RAAmmyy, C:\USERS\ADMINISTRATOR\DOWNLOADS\AA_V3.EXE, Quarentena, [350], [153896],1.0.2425
PUP.Optional.InstallCore, C:\USERS\ADMINISTRATOR\DOWNLOADS\COBIAN-BACKUP-1120582-32-BITS.EXE, Quarentena, [3], [301082],1.0.2425
 

Please help me


Edited by celoownz, 25 July 2017 - 05:57 PM.


#321 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 25 July 2017 - 05:55 PM

Hi, I tried submitting an example file to ID Ransomware but it was rejected as too large (160MB). Unfortunately it is the smallest example I have. What is the cap and assuming there is one and that it's lower than 160MB, could it ever be lifted?
Thanks!

I merged your topic into the existing topic for ID Ransomware so others can benefit from the answer to your question.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#322 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 25 July 2017 - 05:57 PM

I used malwarebytes and i has the log
 
 Valor de registro: 4
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Update, Quarentena, [23], [401398],1.0.2425
Ransom.FileCryptor, HKU\S-1-5-21-2570794179-3168083979-416921674-1357\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update, Quarentena, [23], [401398],1.0.2425
 
Please help me

Please be patient until Demonslay335 has a chance to review the information you provided. BleepingComputer is inundated with support requests and he is not logged in at the moment. Since you already posted in the other topic, any further comments should be directed there.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#323 ftcnet

ftcnet

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 01 August 2017 - 06:11 PM

SHA1: 1631c0ce20b42f5c571bfae563f5a8def2d0e4fb  is for a Word 2010 .docx file, even tho Malwarebyte finds Trojan.Crypt.NKN or Trojan.LVBP on the wkstn  Trend Micro Ransomware Decyption Tool can't ID the ransomware variant.  Any other suggestions for possible decryption tools?



#324 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 01 August 2017 - 06:14 PM

Did you upload both encrypted files and ransom notes together to ID Ransomware? Doing that provides a more positive match and helps to avoid false detections.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#325 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:49 PM

Posted 02 August 2017 - 08:07 AM

@ftcnet

 

It looks like your file was encrypted by Nemucod-AES, which zeroes out the whole file if it is under 64k. Use the Emsisoft decrypter.

 

https://www.bleepingcomputer.com/news/security/decrypted-emsisoft-releases-a-decryptor-for-nemucodaes-ransomware/


Edited by Demonslay335, 02 August 2017 - 08:08 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#326 kind71

kind71

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 03 August 2017 - 09:11 AM

my machine is infected and all files are appearing with extension .brb.
 I am very upset please help me my job is at stake i will be thankful to you guys again please help me
There is also a text file saved in all folders contains text 

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

DON'T WORRY YOUR FILES AS SAFE.

TO RETURN ALL THE NORMALLY YOU MUST BUY THE DECRYPTOR PROGRAM.

PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK.

YOU CAN GET THEM VIA ATM MACHINE OR ONLINE 

https://coinatmradar.com/ (find a ATM)

https://www.localbitcoins.com/ (buy instantly online any country)

THE PRICE FOR DECRYPTOR SOFTWARE IS 1 BTC

BTC ADRESS : 1BhHyQ97F4S8VZcebR2MmTRE8ip9TUeD6e

VERRY IMPORTANT !

DO NOT TRY TO SCAN WITH ANTIVIRUS YOU RISK LOSING YOUR DATA .

For more information : program2017@tuta.io (24/7)


#327 nicolac

nicolac

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 08 August 2017 - 03:48 AM

Hello, one of our server has been infected with some kind of ransomware that ID-RANSOMWARE can't identify. SHA1: 0b1db2abc7382c3a3989201b2759b67c411f7599

 

The ransomware probably stop working at some point beacause not all document files where encrypted. In each scanned directory this malware puts two additional files: KRIPTOKI.DONOTDELETE which contains some kind of key and PLEASEREAD.THISMSG containing this text:

 

ID:491942
PC: xxxxx
USER: xxxxx
=======
hello
 
i have encrypted all your files.
 
email me to buy the decrypter
 
gaetano.olsen ---@--- protonmail ---.--- com
 
if you don't get a reply, check your spam and junk folders first.
if there's nothing there, then register your own protonmail email and try again.
if still no answer or if you stop getting replies from the main email,
use these backup emails: gaetano.olsen ---@---: inbox.lv, india.com, pobox.sk
 
and please keep this encryption log file: C:\Windows\491942.log
 
 
 
The file C:\Windows\491942.log is a big file that seems to have a reference to the path of every single file encrypted.
 
 
Until now we didn't get any success with any detector.
 
Thanks in advance for any help you could give us.
 
 
 
 
 


#328 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 08 August 2017 - 05:32 AM

Sounds new. Are there any obvious file extensions appended to or with your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#329 nicolac

nicolac

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 08 August 2017 - 06:17 AM

Sorry, I forgot to mention that all encrypted files don't have appended extensions. Also all KRIPTOKI.DONOTDELETE files in all folders contains the same string inside.



#330 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:49 PM

Posted 08 August 2017 - 08:38 AM

@nicolac

 

It's Mobef. Afraid it is not decryptable. They seem to have stopped using extensions or any kind of filemarker a while ago, so it's hard to pickup on when they make minor changes to the note.

 

http://www.bleepingcomputer.com/forums/t/611717/mobef-ransomware-support-and-help-topic-keyz-keyh0les-infectiontxt/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users