Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.crypted ransomware attached on server thru RDP


  • Please log in to reply
14 replies to this topic

#1 krunalpatel05

krunalpatel05

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 March 2016 - 09:59 AM

Hello,

 

Our server was attacked and it crypted half of the server files. We paid the hacker and he gave us password but no one knows how to use this password to decrypt all the files on server.

 

Password: 3Wma9xY7oIg7RD9px33a33D8

 

How can i decrypt all the files?


Edited by krunalpatel05, 29 March 2016 - 10:11 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:39 AM

Posted 29 March 2016 - 12:21 PM

Can you provide the ransom note file name? We'll need to ID what ransomware it is first. They should have sent you a decrypter with the key, or it might already be on your system.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 krunalpatel05

krunalpatel05
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 March 2016 - 01:06 PM

File Name is "HOW TO DECRYPT FILES". They didn't send any decrypter with the password.

 

He Wrote:

 

Attention! All your files are encrypted!

To restore your files and access them,
please send 0.5 Bitcoin to adress
1Pbk9bwExuRZ2Jk5eGVqGjdLkiGNJW4Z1j
and email to johnson5520@ausi.com 
then.
 
After receiving the money, I will send you
your password via email.
 
You have 5 attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
Be careful when you enter the code!


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:39 AM

Posted 29 March 2016 - 01:14 PM

Hmm, not pulling anything up by that email address.

 

Can you share a sample encrypted PNG file (*.png.crypted)? I'm wondering if you were hit with the Nemucod Ransomware, which has been cracked actually. You can try Fabian's decrypter on some sample files.

 

If it works, I'm afraid you wasted your money on buying the key. If not, we will need to still identify what ransomware you have.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 krunalpatel05

krunalpatel05
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 March 2016 - 01:26 PM

Hello,

 

Where can i share a file? i am not able to attach a file to this reply.



#6 krunalpatel05

krunalpatel05
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 March 2016 - 01:32 PM

Hmm, not pulling anything up by that email address.

 

Can you share a sample encrypted PNG file (*.png.crypted)? I'm wondering if you were hit with the Nemucod Ransomware, which has been cracked actually. You can try Fabian's decrypter on some sample files.

 

If it works, I'm afraid you wasted your money on buying the key. If not, we will need to still identify what ransomware you have.

 

Hello,

 

I have uploaded .png file on malware submission form.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:39 AM

Posted 29 March 2016 - 01:40 PM

That's good to do as well, but I'm unfortunately not privileged to see files there.

 

You can upload a file to SendSpace and link it here. If you were indeed infected with Nemucod, we'll need a PNG that has a clean copy of it like stated in the article (Public Pictures is a good place if you have any encrypted files there, we can retrieve the clean copies from online).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 krunalpatel05

krunalpatel05
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 March 2016 - 01:48 PM

Hello,

 

Here is the file link for both good and bad

 

Bad: https://www.sendspace.com/file/eg512r

 

Good: https://www.sendspace.com/file/af82kt



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:39 AM

Posted 29 March 2016 - 02:09 PM

Hmm, definitely not Nemucod I'm afraid. The first 23 or so bytes are the same, so it isn't encrypting the whole file, and isn't encrypting the very first part of the file. The last 4 bytes are the same too.

 

Any chance you have a sample of the malware itself? Sometimes they leave it on the system. Could try Recuva to pull it if they deleted it.

 

I'm still not sure what encrypted the system. It isn't Nemucod, and since it isn't a Mac it can't be KeRanger. I'm left with Crypt0L0cker with the extension, but that doesn't make sense with it being a manual RDP hack, nor the contents of the ransom note.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 krunalpatel05

krunalpatel05
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 March 2016 - 02:19 PM

We couldn't find any malware on our server we tried with so many different software and hack deleted the shadow copy of some drive.

 

I can take a look at C drive but how can i figure out a malware?

 

We have around 5 tb of data encrypted.



#11 krunalpatel05

krunalpatel05
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 March 2016 - 03:19 PM

I am not able to find it. Is there any other way?



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:39 AM

Posted 29 March 2016 - 03:43 PM

Have you scanned with HitmanPro and MalwareBytes?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:39 AM

Posted 30 March 2016 - 06:49 AM

Win32/Filecoder.E and Win32/Filecoder.J variants include leaving a HOW_TO_DECRYPT_FILES.TXT ransom note and appending a .crypted extension to the end of the file name.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 krunalpatel05

krunalpatel05
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 30 March 2016 - 09:04 AM

I found the .exe to put the password in. it's decrypting files but some how it encrypted few more files too.



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:39 AM

Posted 30 March 2016 - 09:34 AM

I would definitely backup your files as-is before running any tools on it. Can you upload that decrypter to Malwr and provide the link for analysis? We may still need to identify the ransomware itself for information purposes and to help future victims.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users