Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Booyah Ransomware Support Topic - CRIPTOSO.KEY, WHATHAPPENDTOYOURFILES.TXT


  • Please log in to reply
2 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 28 March 2016 - 12:27 PM

A new ransomware has been discovered recently, which comes in an executable called "booyah.exe". The executable seems to install like a program (using Nullsoft Scriptable Install System), and contains a packed DLL which does the actual encryption.

 

Victims will receive a ransom note by the name of "WHATHAPPENDTOYOURFILES.TXT", with the following contents.

Your ID: 758275
* * *
Hi. Your files are now encrypted. I have the key to decrypt them back.
I will give you a decrypter if you pay me. If you pay me today, the price is only 1 bitcoin.
If you pay me tomorrow, you will have to pay 2 bitcoins. If you pay me one week later the price
will be 7 bitcoins and so on. So, hurry up.

From our analysis with the sample of the malware, it appears all victims receive the same ID as above, as it is hard-coded in the malware.

 

Every folder that has been encrypted will contain a "CRIPTOSO.KEY" file. The contents of this file is not understood quite yet. No extension is added to encrypted files.

 

A list of encrypted files will be located in a plaintext file at "%APPDATA%\%ID%", which for each victim would be "%APPDATA%\758275".

 

Further analysis is still pending, but we have an idea how many victims may have been affected. If anyone has been affected by this ransomware, please post in this topic with any details you can about your experience, and a sample of before/after files if you can. Also, the vector of attack would be good to know (email attachment, torrent, download, etc.).

 

ID Ransomware does identify this ransomware by the ransom note and CRIPTOSO.KEY file mentioned above.


Edited by Demonslay335, 28 March 2016 - 12:45 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 NyNe

NyNe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 29 March 2016 - 10:18 AM

Where is the ransom note placed?



#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 29 March 2016 - 12:21 PM

It appears to be placed in all affected folders I believe. If not, definitely the desktop and/or My Documents.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users