Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware - Identify What Ransomware Encrypted Your Files


  • Please log in to reply
416 replies to this topic

#406 jaxnatax

jaxnatax

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 10 January 2018 - 05:57 AM

@Veselin

 

There's no way to really identify that without the ransom note or the malware itself. There's no filemarkers, and the extension is most likely random.

 

@jaxnatax

 

I'm currently taking a look at the executable you provided, trying to identify which one it is exactly. No filemarkers are tagged by ID Ransomware, so I'm a little confused on which variant it is.

 

Hallo Professionals,

 

 

Happy new year!

Any update on my case please ?

May I still can have hope of a solution from you ?

 

Regards,

J


Edited by jaxnatax, 10 January 2018 - 05:58 AM.


BC AdBot (Login to Remove)

 


#407 cokronk

cokronk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 06 February 2018 - 11:02 AM

I have a PC that has some of the documents renamed as sectorXXXXXXXX.zip

 

There's been no known ransom note. Any ideas if this is or what type of Ransomware it is?



#408 Carina_6

Carina_6

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 21 February 2018 - 06:09 PM

     I’m worried because I could not identified what  ransomware was encrypted the files of my computer on 24.06.2015. The ransomware didn”t change the name and extensions of my files.  I tried to use many decryptors but…..nothing .  I saw on the screen an executable with an icon.

     I didn”t see any suspicious document in my computer. I formatted the HDD immediately…....and I’m sorry but I have not a print screen with the warning of that ransomware.

       Please, help me!   I need a list of ransomwares that preserve the original name of the files and extensions.



#409 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 PM

Posted 21 February 2018 - 06:20 PM

CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm do not append or change file extensions. Newer variants of Nemucod (Nemucod-AES) and Mobef also do not append any extensions to encrypted filenames.

Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock, Mobef and Cryptofag do not use a filemarker.

The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection. Without any of that information or a file marker/unique hex pattern identifier, it is difficult to determine what you are dealing with.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#410 Multiwork

Multiwork

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 03 March 2018 - 02:50 AM

Hello,

This is Source of Ransomware:

https://www.sendspace.com/file/redacted   [malicious link neutralized]

 

Type of Ransomware:

Ransomware-Win32-Necne

 

Need password for decryptor

 

Thanks


Edited by britechguy, 03 March 2018 - 01:01 PM.
Neutralize direct link to malware/ransomware - not needed.


#411 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 PM

Posted 03 March 2018 - 12:13 PM

Hello,

This is Source of Ransomware:

[redacted]

 

Type of Ransomware:

Ransomware-Win32-Necne

 

Need password for decryptor

 

Thanks

 

VirusTotal and HybridAnalysis both tag it as GlobeImposter, which is not decryptable without the criminal's private keys.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#412 Multiwork

Multiwork

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 04 March 2018 - 02:08 PM

 

Hello,

This is Source of Ransomware:

[redacted]

 

Type of Ransomware:

Ransomware-Win32-Necne

 

Need password for decryptor

 

Thanks

 

VirusTotal and HybridAnalysis both tag it as GlobeImposter, which is not decryptable without the criminal's private keys.

 

this is instruction:

https://www.sendspace.com/file/02eeti



#413 patacee

patacee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 07 March 2018 - 06:13 AM

I have a very weird case of 'ransomware'. A malware encrypted files but no information on payments... All the files were simply renamed (by adding a TIZU extension to each one)

 

I uploaded an example with hash 23fbbee00544a2c7cac486b5b84b84468db2215a

 

And as expected didn't detect it. How do I proceed with this kind of issue?



#414 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:59 PM

Posted 07 March 2018 - 01:32 PM

@patacee

 

The files you submitted do not have any extension added, they have the regular ".docx" extension.

 

I also have no submissions with an extension of "TIZU" in them.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#415 patacee

patacee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 07 March 2018 - 01:38 PM

@Demonslay335

Actually I renamed it back, thinking the malware just renamed it. I may still have a copy of the malware for reverse engineering analysis but haven't checked..

#416 Ramun666

Ramun666

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 27 March 2018 - 03:47 AM

Hi Guys,

 

my server has been encrypted as well. I can see data, but MBR, MFT and mirrors of these files are encrypted. I was able to get most of data back, but I struggle with SQL database and data for Iris application. Unfortunately backup was made to an attached USB disk and same happened to it. After restart I got message to decrypt contact falcons@scryptmail.com. I tried to contact them, they had an issue to identify my server with IP I gave them but later they said, they found it and they asked for 0.1 Bitcoin. After I paid no reply and no response. I am not sure what virus is it and I don't think I will get my partions back, but if you have some idea please help.

 

Thank you,

 

R.



#417 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 PM

Posted 27 March 2018 - 07:13 AM

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users