Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware - Identify What Ransomware Encrypted Your Files


  • Please log in to reply
427 replies to this topic

#421 TunaLion

TunaLion

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 09 May 2018 - 01:14 AM

 

 

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files

 

Good Day All,

A server at a client has been infected by Ransomware which cannot be identified. The SHA1 is as follows: 

SHA1: 3743395fe6ce0c122c956d3a2843e71ee0ed44a1

 

Please assist.

 

 

What is the extension added to files? You didn't upload any encrypted files for me to confirm, but this looks like YYTO. See this topic for an m6m6 variant where Amigo-A compares the notes.

 

https://www.bleepingcomputer.com/forums/t/664262/m6m6-ransomware/

 

This is the note that was uploaded.

 

Help.txt

Hello. Your files have been encrypted.

For help, write to this e-mail: armoon2g8i@chef.net
Attach to the letter 1-2 files (no more than 3 MB) and your personal key.


If within 24 hours you have not received a response, you need to follow the following instructions:


a) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en
b) From the TOR browser, follow the link: torbox3uiot6wchz.onion
c) Register your e-mail (Sign Up)
d) Write us on e-mail: armoon2g8i@torbox3uiot6wchz.onion


ATTENTION: e-mail (armoon2g8i@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion



Your personal key:

[redacted hex]

Hi, Everytime I tried to upload the file, I received an error. Not sure if it is because the file is too large maybe. The file name is as follows: Document1.bak.armoon2g8i@chef.net.iuiu



BC AdBot (Login to Remove)

 


#422 Amigo-A

Amigo-A

  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:37 AM

Posted 18 May 2018 - 12:04 PM

Everything looks, as in others variants of YYTO. I added this update to the article.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#423 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,451 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:37 PM

Posted 18 May 2018 - 12:50 PM

@TunaLion

 

What is the error, and how large of a file are you trying to upload? I don't recall what my host's limit is, likely around 20-50MB.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#424 TunaLion

TunaLion

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 21 May 2018 - 02:54 AM

@TunaLion

 

What is the error, and how large of a file are you trying to upload? I don't recall what my host's limit is, likely around 20-50MB.

 

Hi Demonslay,

 

The file was around 72MB in size, however I believe it was the YYTO variant which was used in this attack. Thanks everyone for all the assistance. I just wish there was a way to decrypt the files.  :( 



#425 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:37 PM

Posted 21 May 2018 - 06:25 AM

YYTO Ransomware Help & Support Topic (help_to_decrypt.txt & read_to_txt_file.yyt)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#426 powermax

powermax

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 23 May 2018 - 05:03 AM

Here is a new ransomware :

 

https://we.tl/1mOk98Wswj

 

Someone can tell me what ransomware is ?

 

Id-ransomware do not recognize it

 

Tnks



#427 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,451 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:37 PM

Posted 23 May 2018 - 08:16 AM

Here is a new ransomware :

 

https://we.tl/1mOk98Wswj

 

Someone can tell me what ransomware is ?

 

Id-ransomware do not recognize it

 

Tnks

 

Does look potentially new. We'll need the malware itself to analyze.

 

For Google's sake, here's the ransom note contents. The files have the extension ".karne".

 

RECOVERY.txt

All your files are encrypted. If you want to recover they, write me to karnel.fikol@aol.com
You have a 5 days
YOUR KEY: [redacted 512 bytes in base64]

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#428 Amigo-A

Amigo-A

  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:37 AM

Posted Yesterday, 02:34 PM

FLKR Ransomware this pertained to __murzik@jabber.mipt.ru

 

Ransomware with karnel.fikol@aol.com - this is a other iteration JosepCrypt Ransomware


Edited by Amigo-A, Yesterday, 02:36 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users