Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptohasyou (.ENC) Ransomware Help & Support Topic - YOUR_FILES_ARE_LOCKED.txt


  • Please log in to reply
13 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,273 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:24 AM

Posted 31 March 2016 - 05:11 PM

A new ransomware has been spotted called the .Cryptohasyou Ransomware that encrypts your data using AES + RSA encryption and then has a starting ransom amount of $300 USD. When installed it will encrypt any files that do not have one of the following extensions:
 
enc, exe, lnk, dll, lib, dat, ini, sys, shs, gadget, idx, scr, etl, cdf-ms, lock, manifest, key, evtx, blf, cdfs, sfcache, man, mui, ocx, bat, cat, pdb, sif, sfc, mdmp, dmp, drv, cpl, nls, vtd, gpd, grp, evt, conf, dev, msc, osc, my, mark, msi, mci, msn, folder, rgu, bin, cmd, com, inf, ins, inx, isu, job, jse, msp, mst, paf, pif, reg, sct, shb, shs, vbs, vbscript, vbe, wsf
All encrypted files will have the .enc extension appended to them.

When it has finished, it will change your Desktop wallpaper to the following:
 

wallpaper.png


It will then create ransom notes with the name YOUR_FILES_ARE_LOCKED.txt that contain instructions to send a special code to the malware developer at locked@vistomail.com. They will then reply with payment instructions.
 

your_files_are_locked-redacted.png


TheCryptohasyou ransomware will execute the following commands to delete shadow volume copies and disable startup repair:
 
vssadmin delete shadows /all /quiet
bcdedit /set {default} recoveryenabled no
bcdedit /set {default} bootstatuspolicy ignoreallfailures
Finally, the ransomware will use Internet Explorer to open a page on pastebin, which I feel is being used as a counter on the amount of infected users.

http://pastebin.com/tMbVEf15

At this time there is no way to decrypt files encrypted Cryptohasyou for free.

BC AdBot (Login to Remove)

 


m

#2 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:24 PM

Posted 31 March 2016 - 06:29 PM

Another day; another ransomware. *sigh*


Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#3 subeman

subeman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 04 April 2016 - 05:12 PM

One of our users's personal computers was ransomed by this group.  They were responsive via email right up until we paid the $300 ransom with Bitcoin.  It's been over a week and still no decryption key.  Don't pay--you won't get your data back.


Edited by subeman, 04 April 2016 - 05:13 PM.


#4 Gatsu81

Gatsu81

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 09 August 2016 - 04:13 PM

Hi, thanks for the incredible amount of help you're offering: i've got a simple question.

I've got this couple (maybe more) of pcs infected possibly by this ransomware (id ransomware points to this or to truecrypter). 

We noticed before it completed the encrypting (so we didn't still get a ransom note),

But every time the pc got started the encryption resume: how can we stop the encryption going on?

Microsoft Safety Scanner on safe mode didn't find anything.

I know the files are lost at the moment, i just want to stop it from spreading since it jumped from one pc to the other on the network.

Thanks in advance



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:24 AM

Posted 09 August 2016 - 04:20 PM

Hi, thanks for the incredible amount of help you're offering: i've got a simple question.

I've got this couple (maybe more) of pcs infected possibly by this ransomware (id ransomware points to this or to truecrypter). 

We noticed before it completed the encrypting (so we didn't still get a ransom note),

But every time the pc got started the encryption resume: how can we stop the encryption going on?

Microsoft Safety Scanner on safe mode didn't find anything.

I know the files are lost at the moment, i just want to stop it from spreading since it jumped from one pc to the other on the network.

Thanks in advance

 

Does it continue encrypting in safe mode? There should be a startup entry for it if it only starts up on normal mode. You can run scans with MalwareBytes and FRST to look for it. Definitely backup all data while you can.

 

Usually there is only one PC actually infected with any ransomware, and it will just try to encrypt anything over the network that is an open share. If it truly wormed onto other systems, that would be a new (very interesting) development. I have only heard of such a thing from one old variant that embedded the malware into the encrypted files (another user would infect themselves by trying to open their "document" on the network share drive), or a manual hack such as SamSam, where a hacker actually has control of the system and moves laterally across the network via exploits and pushing malware via GPO.

 

Since you have not received a ransom note yet to 100% identify, it may be best to acquire the ransomware executable before deleting it, since both CryptoHasYou and TrueCrypter are a bit old and I havent heard of many cases of either. If you can safely quarantine it, you may submit it here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Gatsu81

Gatsu81

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 09 August 2016 - 04:34 PM

Thanks for the quick answer.

I can isolate and send to you the file attached to the email that started all of this if you want.

It's a zip file that i suspect contains a .js (i've read about this kind of scam recently) that actually downloads the file.

Would that be good?

It all started on a pc where the mail was opened.

When the users noticed the file getting their extension changed to enc even the server (where the mail was not opened) started getting his share of .enc.

Then the server was put off the network so the original file could not continue to encrypt but the .enc files kept increasing.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:24 AM

Posted 09 August 2016 - 04:37 PM

You may submit malicious files to the link I provided.

 

If the initial system that was infected is disconnected from the network, and files are still getting encrypted, you need to hunt down the source. The owner of the encrypted files will typically tell you what account was hit. The server itself was probably not infected, it is the fact that the user who was infected has access to the server's files over the network. The files on the server may be salvageable using ShadowExplorer, as the ransomware cannot delete Shadow Copies on another machine over the network.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Gatsu81

Gatsu81

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 09 August 2016 - 04:45 PM

The server was physically unplugged from the network from what they said.

Since that it kept getting its files locked, so i supposed it must had its own process running the encryption.

 

I'm trying to get a hold of the files to send.

Thanks again for the support.



#9 Gatsu81

Gatsu81

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 09 August 2016 - 05:46 PM

Update: i managed to get the users to search.

Apparently they got overexcited before: you were right, the encription on the server stopped right when it was disconnected from the network.

I just uploaded the file "ENEL_BOLLETA.zip" that started the whole thing.

The user swear that she opened only the mail from the webmail and NOT the attachment but i'm a bit dubious frankly.

Thanks again.



#10 Gatsu81

Gatsu81

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 11 August 2016 - 02:09 PM

I hope the file was helpful. I am hoping to be able to work on the infected laptop on saturday. If i will be able to get the .exe i'll send it like the .zip.

Thanks again.



#11 djp090

djp090

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 16 August 2016 - 05:58 AM

Hello.
My wife's PC is infected and files are encrypted adding the .enc extension.
Could I attach here one of the encrypted files?

#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:24 AM

Posted 16 August 2016 - 09:25 AM

Hello.
My wife's PC is infected and files are encrypted adding the .enc extension.
Could I attach here one of the encrypted files?

 

Depending on the ransom note, you more likely were hit by TorrentLocker / Crypt0L0cker, which is more wide-spread. If this is the case, Dr. Web may be able to help.

 

You may upload a ransom note and encrypted file to the website in my signature for identification. There are a few ransomwares that use the ".enc" extension now, so it can only positively identify if you upload an accompanying ransom note.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 djp090

djp090

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 16 August 2016 - 10:49 AM

 

Hello.
My wife's PC is infected and files are encrypted adding the .enc extension.
Could I attach here one of the encrypted files?

 

Depending on the ransom note, you more likely were hit by TorrentLocker / Crypt0L0cker, which is more wide-spread. If this is the case, Dr. Web may be able to help.

 

You may upload a ransom note and encrypted file to the website in my signature for identification. There are a few ransomwares that use the ".enc" extension now, so it can only positively identify if you upload an accompanying ransom note.

 

these are the encrypted file and 2 notes.

the notes are in spanish!!!

I'm from Spain, perhaps the virus detects it a translate the note

 

https://www.sendspace.com/filegroup/Zmyb6m6qYf3HqPFrpQJvc9pTDNDeyMc9



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:24 AM

Posted 16 August 2016 - 11:07 AM

If the notes are in Spanish, it most likely is definitely Crypt0L0cker, which has campaigns going around the world. ID Ransomware picks up on the multi-lingual ransom note filenames.

 

Please refer to the news article and support topic.

 


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users