Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Petya/Mischa/GoldenEye Ransomware - YOUR_FILES_ARE_ENCRYPTED.txt


  • Please log in to reply
46 replies to this topic

#16 ScotchGER

ScotchGER

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 May 2016 - 06:21 AM

Talked with an other security guy, he told me that it is possible that Mischa is kind of the Petya rasomware.



BC AdBot (Login to Remove)

 


#17 teamallow

teamallow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 May 2016 - 07:09 AM

I looked at the files, some of them are crypted with mischa and while booting petya is waiting. Well I'm letting antipetya from hasherezade run, it quite takes while... hopefully it will work.



#18 ScotchGER

ScotchGER

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 May 2016 - 07:32 AM

I looked at the files, some of them are crypted with mischa and while booting petya is waiting. Well I'm letting antipetya from hasherezade run, it quite takes while... hopefully it will work.

It is possible because in my case the user did not shutdown the computer and gave me after the infection an teamviewer session. I am waiting for the device and will create the dump next week.

 

I will update this topic with my results.


Edited by ScotchGER, 12 May 2016 - 07:38 AM.


#19 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:34 PM

Posted 12 May 2016 - 09:44 AM

Did someone also submit a .fSQy file that was affected by this ransomware? Also, what is the ransom note filename?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#20 ScotchGER

ScotchGER

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 May 2016 - 09:52 AM

Did someone also submit a .fSQy file that was affected by this ransomware? Also, what is the ransom note filename?

Yes, I did this but my was a .cRh8, perhaps random generated Name.


Edited by ScotchGER, 12 May 2016 - 09:54 AM.


#21 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 12 May 2016 - 10:06 AM

I looked at the files, some of them are crypted with mischa and while booting petya is waiting. Well I'm letting antipetya from hasherezade run, it quite takes while... hopefully it will work.

 

Полное имя                  MBR#0 [20.0GB]
Имя файла                   MBR#0 [20.0GB]
Тек. статус                 загрузчик
                            
Сохраненная информация      на момент создания образа
Статус                      загрузчик
Размер                      440 байт
                            
Доп. информация             на момент обновления списка
SHA1                        3144007550B70B9ACAEDC44F6A34640F5359FD64
                            
#BINOBJ#                    FA6631C08ED08EC08ED8BC007CFB8816937C66B82000000066BB22000000B90080E8140066486683F80075F566A10080EA00800000F4EBFD66506631C05256576650665389E76650665306516A016A1089E68A16937CB442CD1389FC665B665873085030E4CD1358EBD66683C3016683D00081C1000273078CC280C6108EC25F5E5A6658C360B40EAC3C007404CD10EBF761C300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008277BA4400008020210007DF130C000800000020030000DF140C07FEFFFF0028030000D07C02000000000000000000000000000000000000000000000000000000000000000055AA

 

 

 

                            
 

Microsoft Ransom:DOS/Petya.A 20160512

https://www.virustotal.com/ru/file/cdcc95616faee15d2eab02837a6050b0dc3790219edeaa87fee40f805b86522a/analysis/1463065330/

 

 

however leostone method does not work.

More precisely, for a long time we are working on key calculation.


Edited by al1963, 12 May 2016 - 10:10 AM.


#22 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:34 PM

Posted 12 May 2016 - 10:23 AM

BC Security Colleague bartblaze confirmed this as  from same authors as Petya.
Ref: https://twitter.com/hasherezade/status/730715571453591552


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#23 ertuzio

ertuzio

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 19 May 2016 - 03:03 AM

Still no help for green Petya :(



#24 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:34 PM

Posted 19 May 2016 - 09:50 AM

hasherezade has made some progress, but no full decrypter yet. Seems to be some hope.

 

https://twitter.com/hasherezade/status/733093054140289025


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#25 gizmo21

gizmo21

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 06 December 2016 - 07:59 AM

https://www.heise.de/newsticker/meldung/Aufgepasst-Neuer-Verschluesselungstrojaner-Goldeneye-verbreitet-sich-rasant-3561396.html

 

Infection via xls AND PDF in mail and then downloads an exe:

potential names of .exe

radF1016.exe
radF3E9A.exe
rad20B9E.exe
rad6E6BE.exe
radF1016.exe
radD6E08.exe
rad7CB7C.exe

 

crypted Extension at least once: "uDz2j8mv" but will be randomised

 

AntiVir mostly undetected so far: https://virustotal.com/en/file/b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690/analysis/

 

submitname:"b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690"
vxstream-threatscore:100/100
memurl:"Pattern match: FHu.FMu/FHu.FMu/FM,Pattern match: www.microsoft.com/exporting,Pattern match: http://www.sysinternals.com,Pattern match: www.sysinternals.com"
memip:"Heuristic match: {\*\generator Msftedit 5.41.21.2506;}\viewkind4\uc1\pard\brdrb\brdrs\brdrw10\brsp20 \sb120\sa120\b\f0\fs24 SYSINTERNALS SOFTWARE LICENSE TERMS\fs28\par"
mutants:"\Sessions\1\BaseNamedObjects\gbjwfqhzvkpqkxib"
source:https://www.hybrid-analysis.com/sample/b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690?environmentId=100


Edited by gizmo21, 06 December 2016 - 08:26 AM.


#26 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:34 PM

Posted 06 December 2016 - 09:59 AM

Thanks for the information. It has been confirmed this is a re-branding of Mischa. At this time, it is not decryptable.

 

I have setup several identification rules to detect GoldenEye on ID Ransomware, and victims will be pointed to this topic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#27 gizmo21

gizmo21

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 06 December 2016 - 10:07 AM

#GoldenEye #Ransomware aka re-branded #Mischa

Extension: .<random 8 characters>

Ransom Note: YOUR_FILES_ARE_ENCRYPTED.TXT

Tor: http://golden5a4eqranh7.onion/



#28 desheise

desheise

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 09 December 2016 - 08:24 AM

hi,

anyone interested in getting hands on with:

 

offical decrpyter for goldeneye which you receive after paying the ransom

decryption key

encrpted and decrypted file

 

please contact me. 


Edited by desheise, 09 December 2016 - 08:31 AM.


#29 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:34 PM

Posted 09 December 2016 - 01:23 PM

If you have a working decrypter, you can zip and submit it here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic along with a few encrypted files and anything else the malware writers provided.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information by analyzing it further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#30 desheise

desheise

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 13 December 2016 - 03:47 AM

If you have a working decrypter, you can zip and submit it here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic along with a few encrypted files and anything else the malware writers provided.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information by analyzing it further.

done.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users