Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware - Identify What Ransomware Encrypted Your Files


  • Please log in to reply
368 replies to this topic

#346 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:31 AM

Posted 05 November 2017 - 07:25 AM

Hello!
 
Please help me to identify the Ransomware. 
The case ID: 
SHA1: a224aacb76ffd8f73f46e50709559e1842bae563[/size]
File extention is: [/size]r23wf10

The extension looks random.

There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames...CTB-Locker, Crypt0L0cker, CryptON (Cry9, Cry36, Cry128, Nemesis), Skull, SynAck, Maktub Locker, Alma Locker, Princess Locker, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants.

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection. If you have not done so, I suggest you try uploading both encrypted files and ransom notes together at ID Ransomware since that provides a more positive match.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#347 jaxnatax

jaxnatax

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 05 November 2017 - 04:53 PM

Hallo, 
 
Please help.
It seems I have a new Crypton variant, despite the notification is equal to the nemesis/crypton message and id ransomware site identifies the sample and the notice like that.
The web page recognises it as a CryptOn, but none of your existig crypton decoders work.
It encrypts the first part of the files until hexa 11079 and adds 16 extra bytes to the end of the files in this way: unique byte + 15 pcs zeros.
All the files' part after 11800 remain intact (according to file comparision) until the extra bytes at the end.
My analysis shows that the unique byte differs even for same file extensions or same files sizes.
 
I have uploaded the samples (encrypted/unencrypted) here
extract word is "ransom"
 
ps: host will keep the files only for 30 days, please cache them before that
 
Please help, I have a bunch of personal files impacted.
John

Edited by jaxnatax, 05 November 2017 - 04:55 PM.


#348 evgenyzh

evgenyzh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 07 November 2017 - 01:13 AM

@evgenyzh,

do you have a ransom note ?

No, unfortunally users of the ps remove the virus and there are no any readme files too.



#349 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:31 AM

Posted 07 November 2017 - 06:36 AM

@evgenyzh,
do you have a ransom note ?

No, unfortunally users of the ps remove the virus and there are no any readme files too.

Then our crypto malware experts most likely will need a sample of the malware file itself to analyze. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#350 Veselin

Veselin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 09 November 2017 - 12:22 AM

Hi all,

 

First, thanks for taking your time to create this blog as well as other usefull web sites.

 

I have a problem which I am not managing to sort out for almost 2 years. My home PC was infected by a ransomware which converted all files with extension .xprldoe

 

I've been searching for the decryptor ever since. Unfortunatelly, in all panic to clean the computer and save at least remaining files, I have not saved ransom note nor any other files, except the crypted files.

 

Can you help?

 

I've already submited a sample file to https://www.bleepingcomputer.com/submit-malware.php?channel=168 but yet no response.

 

Thanks

Veselin


Edited by Veselin, 09 November 2017 - 12:29 AM.


#351 Veselin

Veselin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 09 November 2017 - 02:08 AM

Just to add to this, realized I have not given full info.

 

File names are converted as e.g. DIME.DOCX becomes DIME.DOCX.xprldoe. It converts all files, regardless of type.

 

Regards,

Veselin


Edited by Veselin, 09 November 2017 - 02:09 AM.


#352 petarnov

petarnov

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 15 November 2017 - 08:11 PM

	Unable to determine ransomware. 

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

 This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

 You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

 Please reference this case SHA1: 048b9b22121e05f88dff7e07ecaea56f482ea1ea

How do I proceed from here?



#353 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:10:31 AM

Posted 16 November 2017 - 03:35 AM

@petarnov,

you can submit your files here  for the experts of this forum to analyse them.
Don't forget to leave a message and a link to this topic.

You can also share your files directly on this topic for everybody with we transfer (or google drive, or the platform of your choice) :
don't forget the ransom note, encrypted samples, and any detected suspicious files or trojan.

Kind regards,
Emmanuel



#354 jaxnatax

jaxnatax

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 16 November 2017 - 03:54 AM

 

Hallo, 
 
Please help.
It seems I have a new Crypton variant, despite the notification is equal to the nemesis/crypton message and id ransomware site identifies the sample and the notice like that.
The web page recognises it as a CryptOn, but none of your existig crypton decoders work.
It encrypts the first part of the files until hexa 11079 and adds 16 extra bytes to the end of the files in this way: unique byte + 15 pcs zeros.
All the files' part after 11800 remain intact (according to file comparision) until the extra bytes at the end.
My analysis shows that the unique byte differs even for same file extensions or same files sizes.
 
I have uploaded the samples (encrypted/unencrypted) here
extract word is "ransom"
 
ps: host will keep the files only for 30 days, please cache them before that
 
Please help, I have a bunch of personal files impacted.
John

 

 

Please, anybody support me or the silence means that your are working hard on it ?

 

I found an executable what was the suspect. I could disassemble and convert it to a raw C code.

I think it is tha encoding executable, because it contains "ID-" prefix string in one of its functions but putting together the whole code exceeds my knowledge.

 

I can send it over if that can help.

 

regards,

J


Edited by jaxnatax, 16 November 2017 - 03:58 AM.


#355 petarnov

petarnov

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 16 November 2017 - 08:17 AM

@petarnov,

you can submit your files here  for the experts of this forum to analyse them.
Don't forget to leave a message and a link to this topic.

You can also share your files directly on this topic for everybody with we transfer (or google drive, or the platform of your choice) :
don't forget the ransom note, encrypted samples, and any detected suspicious files or trojan.

Kind regards,
Emmanuel

 

here are the files https://drive.google.com/file/d/1WIPiHcXBqrRZY09VMuxdlkXyR3Zr-wb2/view?usp=sharing thanks



#356 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:31 AM

Posted 16 November 2017 - 09:49 AM

@petarnov

 

Looks like you are dealing with LockCrypt. I've not seen a sample using that uppercase ".LOCK" as part of the extension, so it could be a new variant. Has a new email address as well.

 

https://www.bleepingcomputer.com/forums/t/648384/lockcrypt-lock-support-topic-readmetxt/

 

If you can find the malware, that would be most helpful. LockCrypt is still under analysis, but there's no way of decrypting it at this time.


Edited by Demonslay335, 16 November 2017 - 09:50 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#357 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:31 AM

Posted 16 November 2017 - 10:05 AM

@jaxnatax

 

We'll need the malware executable to analyze if the CryptON/Nemesis-family decrypters didn't work. You may upload malicious executables here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#358 jaxnatax

jaxnatax

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 16 November 2017 - 01:38 PM

@jaxnatax

 

We'll need the malware executable to analyze if the CryptON/Nemesis-family decrypters didn't work. You may upload malicious executables here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Hello Demonslay,

 

I have already contacted the 8 main antivirus vendors, some of them replied with unusable informations, but none of them felt that they should provide a decryptor - that's why I'm attemtp to ask your help...

 

Best Regards,

 

ps: If I could help with anything with my case please just ask.

 

Regards,

J



#359 petarnov

petarnov

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 16 November 2017 - 02:29 PM

@petarnov

 

Looks like you are dealing with LockCrypt. I've not seen a sample using that uppercase ".LOCK" as part of the extension, so it could be a new variant. Has a new email address as well.

 

https://www.bleepingcomputer.com/forums/t/648384/lockcrypt-lock-support-topic-readmetxt/

 

If you can find the malware, that would be most helpful. LockCrypt is still under analysis, but there's no way of decrypting it at this time.

 

How would I approach to find the malware on the machine? Consider I have only file access that machine is rendered useless by the malware. 



#360 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:31 AM

Posted 16 November 2017 - 05:06 PM

How would I approach to find the malware on the machine? Consider I have only file access that machine is rendered useless by the malware.


These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

If possible, check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users