Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how do ransomware documents look like?


  • Please log in to reply
4 replies to this topic

#1 umeca74

umeca74

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 04 April 2016 - 02:05 AM

Hello, I am doing a research on ransomware, and I would like to get my hands on some encrypted files for closer examination. There's plenty of information available on generic ideas but I would like to find out details like:

 

* are files renamed or kept in their original location?

* how do plain TXT and DOC files look after encryption? What about JPG images?

 

If there is a page with such information available please let me know.

 

thanks

nikos



BC AdBot (Login to Remove)

 


#2 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:52 AM

Posted 04 April 2016 - 04:20 AM

Hi and :welcome:  to BC community, Nikos :)

I'll try to answer to some extend:

 

 

* are files kept in their original location?

Yes, that is right. All files are encrypted and placed to the same location where the original files were residing by almost all ransomware.

But there are ransomware in the wild that rename the file names to unique ids, while the usual behavior is to encrypt and change the file extension or just encrypt, keeping file name and extension intact.

 

 

* how do plain TXT and DOC files look after encryption? What about JPG images?

After encryption, all files opened by their respective programs (for example, notepad for txt file), throws error telling either the file is corrupted or not recognized. This to how it is to the normal user's view.

For the case of analyst or researcher, special tools can be used to analyze the files to see what modifications are made, compare with intact non encrypted files, etc.

 

I am sure others will chime in to give more idea about this. :)


Edited by Nikhil_CV, 04 April 2016 - 04:22 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#3 umeca74

umeca74
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 04 April 2016 - 05:05 AM

thanks for the information. From what you are saying these "programs" encrypt and rename or delete the original files. This kind of behaviour could be easily spotted using a filesystem monitor. Do you know of any (preferably free) tool that checks this behaviour?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:22 AM

Posted 04 April 2016 - 06:24 AM

Ransom notes are typically found in every directory where data was encrypted and use a randomly named .html, .txt, .png, .bmp, .url file. These are some examples of ransom note names:
HELP_DECRYPT.TXT, DECRYPT_INSTRUCTION.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_YOUR_FILES.TXT
HELP_FILE_[random number/letter].HTML, install_tor.url, ATTENTION.RTF, !!!-WARNING-!!!.html
Read.txt, ReadMe.txt, README1.txt...README10.txt, READ_IF_YOU_WANT_YOUR_FILES.html, Read_it.txt
README_FOR_DECRYPT.txt, READ!!!!!!!!!!!.ME.txt, README!!.TXT, README_IMPORTANT.TXT, READ_IT.txt
IMPORTANT READ ME.txt, File Decrypt Help.html. ReadDecryptFilesHere.txt, _Locky_recover_instructions.txt
YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt, CRIPTOSO.KEY,
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, ABOUT_FILES!.txt
DECRYPT_INSTRUCTIONS.TXT, How_To_Recover_Files.txt, How_To_Restore_Files.txt, Coin.Locker.txt
HOW_TO_DECRYPT_FILES.TXT, HOW TO DECRYPT FILES.TXT, RECOVERY_KEY.TXT, DECRYPT MY FILES#..txt
_secret_code.txt, DECRYPT_ReadMe.TXT, BLEEPEDFILES.TXT, AllFilesAreLocked_.bmp, WHAT IS SQ_.tx
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, IHAVEYOURSECRET.KEY
SECRET.KEY, SECRETIDHERE.KEY, HELP_DECYPRT_YOUR_FILES.HTML, README_DECRYPT_UMBRE_ID_[victim_id].txt
help_decrypt_your_files.html, RECOVERY_FILES.TXT, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.TXT, howto_recover_file_.txt, HELP_TO_SAVE_FILES.txt
how_recover+[random].txt, _how_recover_.txt, restore_files_.txt, recover_file_[random].txt
recover_files_[random].txt, recovery_file_[random].txt, help_recover_instructions+[3-random].txt
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt, help recover files.txt, Recovery+[5-random].txt
_ReCoVeRy_+[5-random].txt, _recovery_+cryptolocker, Recovery_[5-random].txt, RECOVERY.TXT 
RECOVER+[random].TXT, RECOVER[5-random].TXT, _rEcOvEr_[5-random].txt, +REcovER+[5-random]+.txt
+-HELP-RECOVER-+[5-random]-+.txt, RECOVER[random].TXT, HELP_DECRYPT_YOUR_FILES.TXT, DECRYPT.TXT
README_HOW_TO_UNLOCK.txt, encryped_list.txt, DECRYPTION_HOWTO.Notepad, Encrypted_Files.Notepad
_DECRYPT_INFO_[random].html, WHATHAPPENDTOYOURFILES.TXT, DecryptAllFiles_.txt, DecryptAllFiles.txt
README_FOR_UNLOCK.txt, HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT, YOUR_FILES_ARE_LOCKED.txt

Note: The [random] represents random characters which some ransom notes names may include.
A repository listing of all Bleeping Computer Crypto malware Information and ransomware topics can be found in this index.Most of the FAQs and news articles will have information and screenshots of various ransom notes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:22 AM

Posted 05 April 2016 - 04:37 AM

thanks for the information. From what you are saying these "programs" encrypt and rename or delete the original files. This kind of behaviour could be easily spotted using a filesystem monitor. Do you know of any (preferably free) tool that checks this behaviour?

There are a couple of Anti-Ransomware tools out there:
BitDefender AntiRansomware
WinAntiRansom (not free)
Malwarebytes Anti-Ransomware Beta

HitmanPro.Alert (not just for blocking ransomware)
 
The effectiveness of these tools has not been tested on a wide enough range of samples, so it is hard to judge how effective each of them is. I believe BitDefender only covers certain types. I know that Emsisoft Anti-malware also has a behaviour blocker which is effective at blocking ransomware, however it is an antivirus and not free.

 

xXToffeeXx~


Edited by xXToffeeXx, 05 April 2016 - 04:51 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users