Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MireWare (.bleeped - f**k) Ransomware Support and Help Topic - READ_IT.txt


  • Please log in to reply
5 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:02 PM

Posted 29 March 2016 - 12:41 PM

Another HiddenTear-based ransomware by the name of MireWare has been found.
 
Files encrypted will have the explicit extension ".bleeped" (the F word), and a ransomnote called "READ_IT.txt" is dropped on the desktop with the following contents.
 
Files have been encrypted
Send me some bitcoins to decrypte your files
Contact tuyuljahat@hotmail.com for more information and deal!
 
The following is a list of extensions targeted by this ransomware.
 
.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml
If anyone has been hit by this ransomware, please post here. We may have a chance with decrypting files.

Edited by Demonslay335, 29 March 2016 - 12:49 PM.
Removed extra quote

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:02 PM

Posted 29 March 2016 - 12:47 PM

 

 (Deleted)


Edited by cybercynic, 29 March 2016 - 01:52 PM.

We are drowning in information - and starving for wisdom.


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:02 PM

Posted 29 March 2016 - 01:40 PM

Note: This ransomware is currently broken due to the lack of a valid certificate on the Command & Control server. As the ransomware attempts to connect to the server via HTTPS, this invalid certificate means it is unable to do so and thus does not appear to encrypt anything.

This could very quickly and easily though.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 30 March 2016 - 06:29 AM

Looks like a variant of Bitmessage Ransomware which adds a .bleep, .1999, .0x0 or .fu*k extension.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:02 PM

Posted 30 March 2016 - 08:35 AM

I haven't seen a sample of Bitmessage itself, but I just decompiled the decrypter linked in the topic, and it was written differently. This one would have provided a decrypter based on the HiddenTear decrypter, which is in C#; from what I could tell, Bitmessage's was written in C++ I think, I can't decompile it as easily. I think they just played off the same extension.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:02 PM

Posted 30 March 2016 - 04:01 PM

Yea, the Bitmessage was the giveaway with that one. Thought I should mention it just in case...now we can make a note this one is using the same .fu*k extension.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users