Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help decrypting 'HOW_TO_DECRYPT_FILES.html'


  • This topic is locked This topic is locked
8 replies to this topic

#1 rclinard

rclinard

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 29 March 2016 - 04:39 PM

I have searched through the forums to no avail regarding this particular instance of ransomware.  Other than the helper file, I have nothing else to help identify what we have been hit with with the exception of a few machines having our Symantec detecting and quarantining/deleting 'sqldelt.exe' identified as 'Infostealer.Limitail' trojan.  All of our encrypted files have the '.encryptedAES' file extension.  

 

Please advise what the next steps would be to try and recover our data, if at all possible.

 

Thank you!

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 29 March 2016 - 04:42 PM

I did see that go through the logs of ID Ransomware, but I don't recognize that extension. Seems to be a bug where it didn't save your files for me to assess either.

 

Any chance you can upload a sample encrypted PNG file, and the ransom note for analysis? You can upload them to SendSpace and post the link here.

 

Also see if you can search your system for any sign of the malware that may have encrypted your data. If this is a new variant, we will need the malware itself to analyse. You can try scanning with HitmanPro and MalwareBytes.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 29 March 2016 - 04:44 PM

Hang on, I might have found a sample on Reddit.

 

*Edit: nevermind, may have not been the same. Any chance you see a "MIKOPONI.exe" anywhere on your system?


Edited by Demonslay335, 29 March 2016 - 04:46 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 rclinard

rclinard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 29 March 2016 - 04:55 PM

I'll upload the files shortly - as fok mikoponi, i haven't seen it yet, but I found an article online that mentioned that as well and our 'infection' appears to line up almost 100% with mikoponi... 

 

**edit** - here is the upload  -- I also sent a new file as the previous PNG file was just a random file I grabbed and didn't even pay attention as to where I got it from.  I'll run a full search on my box for mikoponi to verify as well...

 

Also as for running malware scans, we use corporate malwarebytes here and it hasn't found anything of note (primarily just some cookies as you would expect on a fairly clean machine)


Edited by rclinard, 29 March 2016 - 05:01 PM.


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 29 March 2016 - 06:09 PM

Was the system that was hit a server? Does it have any remote capability such as RDP, TeamViewer, or an exposed JBoss program? Just going over some common vectors of attack for the variant I'm suspecting this may be. Possible they manually attacked the server and deleted any trace of the malware.

 

P.S. I fixed the bug with ID Ransomware and was able to retrieve the files you uploaded; silly default chmod made the files invisible to me, lol.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 29 March 2016 - 06:15 PM

Weird. Did you see the contents of the unreg.bat.encryptedRSA you uploaded?  Looks like RSA data, but I think it would need a key to decrypt. I'll play with it, but I'm not sure if it's useful or not at this point.

 

I may have found a sample using a string from that file. Can you search for a "jingakonz.exe" on the system? It was submitted to Malwr today. I'll be decoding it here shortly to see if it matches.


Edited by Demonslay335, 29 March 2016 - 06:15 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 AM

Posted 29 March 2016 - 06:24 PM

Ok, I confirmed the sample, the ransom note and file extension match yours. The RSA bit I mention above is embedded in encrypted files, and has to be decrypted with their RSA key to get the AES key that encrypts the file. I forgot this variant does that. Definitely a variant of MIKOPONI/Sam. No solution at this time I'm afraid.

 

They definitely had access to your server. This ransomware is manually ran with command line arguments; they pass the public key to it through an XML file. It does delete itself with a batch file afterwards.

 

More details in my analysis in another topic: http://www.bleepingcomputer.com/forums/t/607818/encedrsa-ransomware-support-and-help-topic-help-decrypttxt/#entry3957811


Edited by Demonslay335, 29 March 2016 - 06:44 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 rclinard

rclinard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 29 March 2016 - 10:25 PM

Was the system that was hit a server? Does it have any remote capability such as RDP, TeamViewer, or an exposed JBoss program? Just going over some common vectors of attack for the variant I'm suspecting this may be. Possible they manually attacked the server and deleted any trace of the malware.

 

P.S. I fixed the bug with ID Ransomware and was able to retrieve the files you uploaded; silly default chmod made the files invisible to me, lol.

Our entire environment was hit.. over 100 servers and over 100 desktop/laptops...   One of our servers does run JBoss on it, and that particular server actually appeared to have been compromised where someone was logging in using one of our domain admin accounts and they installed teamviewer and a few other apps.  We thought we had that under control a few weeks ago, but then boom here we are.  I checked to see if the user had logged in again, and once again they had logged in again, but this time they had created a new local account and ran Hyena to figure out all our machine names/etc... Sadly, all the stuff we did to prevent them from connecting again didn't help.  Even resetting the passwords/etc.  I'm not 100% sure the ransomware came from that particular instance, but having stuff like Hyena installed, and reports left behind of all our machine names makes me think it probably is related.

 

Weird. Did you see the contents of the unreg.bat.encryptedRSA you uploaded?  Looks like RSA data, but I think it would need a key to decrypt. I'll play with it, but I'm not sure if it's useful or not at this point.

 

I may have found a sample using a string from that file. Can you search for a "jingakonz.exe" on the system? It was submitted to Malwr today. I'll be decoding it here shortly to see if it matches.

 

I'll check on this jingakonz.exe tomorrow.  I never really looked at the encrypted files... but I did forget that on every single machine, under sys32 folder, there is a publickey in there with the computer name in the filename.  It may help to determine whats going on.. or at least to help identify this for other forums members going forward.

Ok, I confirmed the sample, the ransom note and file extension match yours. The RSA bit I mention above is embedded in encrypted files, and has to be decrypted with their RSA key to get the AES key that encrypts the file. I forgot this variant does that. Definitely a variant of MIKOPONI/Sam. No solution at this time I'm afraid.

 

They definitely had access to your server. This ransomware is manually ran with command line arguments; they pass the public key to it through an XML file. It does delete itself with a batch file afterwards.

 

More details in my analysis in another topic: http://www.bleepingcomputer.com/forums/t/607818/encedrsa-ransomware-support-and-help-topic-help-decrypttxt/#entry3957811

Yeah I was afraid of that.. also we did notice btc64.exe on some machines and I think there was a del.bat left behind on some machines.  

 

I really appreciate everything you've done thus far.  Hopefully we get a fix on this soon... we have a lot of upset employees around here lol

 

**EDIT** -  I checked your other post and it made me think this  - If by chance the encryption key file was backed up with our Appassure snapshot software, do you think you could use that file to generate something to decrypt the files?  Let me know... I doubt it would have grabbed it, and it would be a needle in a haystack, but I think it would be worth the while to see.  Also, do you have any clues where the key would have been stored during this process?  I would assume that it would most likely be stored in the same folders that were used for the del.bat, sqldelt.exe, and whatever else...?


Edited by rclinard, 29 March 2016 - 10:31 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:48 AM

Posted 30 March 2016 - 06:16 AM

.encedRSA Ransomware is an evolution of the .encryptedRSA Ransomware (based on the Samas Ransomware) which first appeared around December 2015.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users