Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AxCrypt Encrpyt *.axx Ransomware ?


  • Please log in to reply
20 replies to this topic

#1 Teknik21

Teknik21

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 26 March 2016 - 12:00 PM

Hi everyone ,

 

 
My files to my server encrypted attacks for information, please

 

 

AxCrypt  Encrpyt  *.axx  file Dencrpty  Ransomware     bruteforce  Wordlist  ?



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 26 March 2016 - 12:12 PM

Sounds new. Can you provide the ransom note file, and a few encrypted files for analysis? You may upload them to SendSpace and link them here.
 
If you have any suspicious files that you think caused the infection, please upload them to Malwr and share the link.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Teknik21

Teknik21
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 26 March 2016 - 12:26 PM

AxCrypt software open source  

http://fs33.filehippo.com/6058/3d48254022844e42869f12710757a54a/AxCrypt-1.7.3156.0-Setup.exe 

Example file 

https://www.sendspace.com/file/fpsew6

Edited by Teknik21, 26 March 2016 - 12:27 PM.


#4 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:53 AM

Posted 26 March 2016 - 12:45 PM

AxCrypt is a legitimate encryption software and does use the .axx file extension for its' encrypted files.


We are drowning in information - and starving for wisdom.


#5 Teknik21

Teknik21
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 26 March 2016 - 12:48 PM

Ransomware    Method   my company  all data  encrpyt ?

 

Dencrpyt  All data lost  plesa  



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 26 March 2016 - 12:58 PM

Very interesting. They must have gained manual access to the server, possibly through RDP or gaining access to credentials for TeamViewer or other remote services with leaked credentials.

 

Do you have a ransom note from them, telling you how to pay?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Teknik21

Teknik21
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 26 March 2016 - 01:01 PM

Bitcoin   Payment 



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 26 March 2016 - 01:04 PM

Can you upload the ransom note to SendSpace and share it with us?

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Teknik21

Teknik21
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 26 March 2016 - 01:39 PM

Demonslay335    

 

 

Mail and  bitcoin  ID  text   

 

I encrypt some data that I believe are important to your system.

Only your server to encrypt your data so you can bring me back again,
* .axx Extension with its own place in your home directory or disk "reserves" named
After you hide the folder, it will not be brought back to delete data by writing over the original.
 
If your data again working my way wish to install on your server Eders new me
 
Please contact via e-mail. Create your ip necessarily the subject of the e-mail you write.
 
I demand from you to your system cost $ 2,500. If we agree on,
I will send the necessary information in order to transfer you the money gönfer.
control the delivery of a currency that you sent me (at the latest half an hour) then your system
I made it to connect older.
 
I do not know you, because with you because I'm not against any hostility or resentment you unnecessarily
My one goal is to get in trouble is not possible to be. My goal this act only after obtaining a certain income because of my
this inconvenience I caused my way to separate out problems with you.
 
* .axx Extension files on your server and / or if the driver found in your home directory "reserves" to delete the folder,
Replace them play the originals / Do disturbing. back your information because you disrupt or delete the files you
I do not accept responsibility for failure to bring.
 
Data from the outside by the company responsible for the data processing except I encrypt my e-mail reply whether such person or entity
the owners of the business if they can not agree with me / management reports also aims to reach the status of my leg I would like to know.
 
Each server in its own unique conditions, the amount and type of data, the company's size / recognition, data encryption, I spend
and then I will spend time and money by installing backward conditions required by the payment method will use me in achieving
I requested a separate fee for each job, depending on the situation to me, "You take money from something far place" in the form of arguments
Do not seek a reduction in the price.
 
With your hard disk data recovery programs can try to recover data, disk data recovery company to
You can send, you may apply to judicial authorities, you can threaten me. A benefit of all of them to regain your data
but that will not cost you time, try to bring your system to a moment ago, the situation is now being agreed with me
I would like to note.
 
After you make your old server, which means you've reached your server what way and to avoid repetition of such events in your life
What to do, I'll send an e-mail explaining that you need to pay attention to.
 
When contacting me, please indicate the number of your external ip of the server so I can understand what the issues mentioned from the server.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 26 March 2016 - 05:22 PM

Unfortunately, looks like the server was hacked and the hacker used the AxCrypt to encrypt your data. You may want to contact the developers of axcrypt to see if they can help in anyway

#11 Teknik21

Teknik21
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 26 March 2016 - 05:33 PM


http://www.axantum.com/AxCrypt/faq.html#lost_passphrase






I lost my passphrase. Can you help me?
The basic rule is: If you lose or forget your passphrase or key-file, your documents are lost. There is no back-door into AxCrypt.

The only way to recover a lost passphrase is to try all likely combinations. If you have used a key-file, and lost that, there is nothing to do at all - the number of combinations is simply too large. That is why you must print a paper backup copy if you use key-files.

All that being said, there is a special case where I could possibly help you. If you think you know your passphrase, but not quite, or if it's less than 5 characters long - then I can write and adapt a special program that will try many combinations automatically. This is called a brute force attack.

AxCrypt is specifically engineered to counter brute force attacks, and does it rather well, so this will only work when the number of combinations to try is very small, let's say less than a million.

If you think you may be in a position where you can narrow down the possible combinations enough for me, then there is a slight chance to recover the passphrase.

A brute force attack requires custom programming and many hours, days and possibly weeks and months of computer time, thus I will only do this when compensated and when I feel that that it might be possible. But it's always done on a no cure - no pay basis, this means that if I can't find the passphrase, there's no fee. The fee depends on the amount of programming necessary, typically it'll vary between USD/EUR 50 to 250.

(I've attempted this four times so far, and succeeded once. The password was a word with four letters, where the first letter turned out to be a 'y' instead of 'm' as the user apparently had mistyped. That's the kind of situation where a brute force attack may be successful.)


#12 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:08:23 PM

Posted 27 March 2016 - 05:06 AM

Looks like a script kiddie who found a vulnerability on the server trying to make most out of it...
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#13 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:53 AM

Posted 27 March 2016 - 06:50 AM

Would an encryption of this type affect the Shadow Volumes? Perhaps Shadow Explorer could be used?


We are drowning in information - and starving for wisdom.


#14 Teknik21

Teknik21
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 27 March 2016 - 07:06 AM

Would an encryption of this type affect the Shadow Volumes? Perhaps Shadow Explorer could be used?

 

vssadmin list shadows  / all delete  method



#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 27 March 2016 - 08:36 AM

Were the shadows gone? Did you find the batch file that performed the encryption and cleanup?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users