Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JobCrypter Support Topic (.locked) - Readme.txt, Comment débloquer mes fichiers


  • Please log in to reply
10 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:19 PM

Posted 04 April 2016 - 08:43 PM

Another ransomware has been seen in the last month affecting mostly French victims it seems. This ransomware goes by the name of JobCrypter, and has been reported by @nyxbone on his website.

 

 

2.png

 

1.png

 

 

Files are encrypted with Triple-DES, and have the extension ".locked" appended. The original file is then deleted.

 

A ransom note called "Readme.txt" is added to the user's startup folder, and a ransom note called "Comment débloquer mes fichiers .txt" (translated to "How to unlock my files.txt") is added to the user's desktop.

 

The 20-character randomly generated password is sent via email to "brangiersimonalain@gmail.com".

 

If anyone has been affected by this ransomware, please post here. Due to a few weaknesses with this ransomware's encryption routine, a decrypter is definitely possible for this variant with a few methods, but I would just need a bit of time to develop it, if it is needed.

 

ID Ransomware will currently identify this ransomware by extension and ransom note.

 

More detailed analysis can be read at @nyxbone's website (in Spanish): http://www.nyxbone.com/malware/jobcrypter.html


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 3J Kernel

3J Kernel

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 12 April 2016 - 04:24 PM

Hello Demonslay335:

Here we have a case.Please, DM me with the files you need.

Kind regards



#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:19 PM

Posted 28 May 2016 - 01:38 PM

A new variant of this has been spotted that uses the extension ".css", and is still under analysis. If anyone has been hit by this new variant, please post here.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 dimo70

dimo70

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sofia
  • Local time:10:19 PM

Posted 09 July 2016 - 09:26 AM

Hi Demonslay335,

In your site ID Ransomeware I uploaded some files and answer was:

 

2 Results

JobCrypter
This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.

Identified by

  • ransomnote_filename: README.txt
Click here for more information about JobCrypter
Bucbi

This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.

 

I have two cases of this variant JobCrypter.

I upload now files and message and will wait for help

 

https://www.sendspace.com/filegroup/ThxBCNu2JYxd3d7tOa%2Bi3NyzCx5cxn4YEEYFlrbOdOo


Edited by dimo70, 09 July 2016 - 09:34 AM.

Sofia, Bulgaria

WWW: http://eastcomputerservise.com/

 


#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:19 PM

Posted 09 July 2016 - 09:58 AM

Hi Demonslay335,

In your site ID Ransomeware I uploaded some files and answer was:

 

2 Results

JobCrypter
This ransomware may be decryptable under certain circumstances.

Please refer to the appropriate guide for more information.

Identified by

  • ransomnote_filename: README.txt
Click here for more information about JobCrypter
Bucbi

This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.

 

I have two cases of this variant JobCrypter.

I upload now files and message and will wait for help

 

https://www.sendspace.com/filegroup/ThxBCNu2JYxd3d7tOa%2Bi3NyzCx5cxn4YEEYFlrbOdOo

 

I'm afraid you were actually hit with the latest CryptXXX - they are really throwing off detection with their generic "README" note format and no extension.

 

There is no way to decrypt the files unfortunately. You can see more information in the support topic and news article.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 dimo70

dimo70

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sofia
  • Local time:10:19 PM

Posted 09 July 2016 - 01:54 PM

Thank You Demonslay335. I suspect virus is something new like that and there will be no decryptors soon. I will check this links for decryptors periodically


Sofia, Bulgaria

WWW: http://eastcomputerservise.com/

 


#7 Letouane

Letouane

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 08 February 2017 - 08:38 PM

A client of my firm has been hit by this ransomware, the .css version.
I have already submitted the file on bleeping computer (through https://www.bleepingcomputer.com/submit-malware.php?channel=168).

As in the previous version, the files are readable with notepad and explain the case...

 

--> The reg key Code stored in HKCU/Software is still present in the registry. Does it help in the decrypt process ?


Edited by Letouane, 08 February 2017 - 08:43 PM.


#8 Letouane

Letouane

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 08 February 2017 - 09:54 PM

Got all the files back thanks to Shadow Explorer !



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 09 February 2017 - 07:42 AM

Got all the files back thanks to Shadow Explorer !

Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Letouane

Letouane

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 09 February 2017 - 01:27 PM

Yes Quietman ! Usually when a customer bring me a ransomware infected PC, both native Windows Previous Versions (WPV) and Shadow Explorer fail.
This time, the native WPV failed but Shadow Explorer worked.

As both usually fail, I don't use to try it but why I tried it this time I don't know... different day, different approach...

 

As far as I can understand, the virus deleted the list of previous versions kept by Windows but not the real files...

 

NB : All the windows that I prepare for my customers programmatically have a custom made System Restore scheduled task
 

VBS scriprt to execute with priviledges.

    ' Customizing VSS and system restore
  myXMLFile =  fso.buildpath(TempDirectory, "Custom-SR.xml")
  myTaskToCreate = "schtasks.exe /Create /XML " & myXMLFile & " /tn Custom-SR"
  sh.Run myTaskToCreate, 1, true
  
  'Adding D: to SR and setting the % to use (I always use D:\ as the data volume)
  Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\default")
  Set objItem = objWMIService.Get("SystemRestore")
  errResults = objItem.Enable("D:")
  Set objConfig = objWMIService.Get("SystemRestoreConfig='SR'")
  objConfig.DiskPercent = 15
  objConfig.Put_
  
  ' Once again (in case) setting the % with another method (can be upgraded with a FOR but only two items...)
  vsscmdDriveC ="vssadmin Resize ShadowStorage /For=C: /On=C: /Maxsize=15%"
  vsscmdDriveD ="vssadmin Resize ShadowStorage /For=D: /On=D: /Maxsize=15%"
  sh.run vsscmdDriveC , 1 , true
  sh.run vsscmdDriveD , 1 , true

The XML file extracted from the original SystemeRestore scheduled task :
 

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Source>Microsoft Corporation</Source>
    <Date>2016-05-04T09:51:55.8440899</Date>
    <Author>Microsoft Corporation</Author>
    <Description>Cette tâche crée des points de protection du système réguliers.</Description>
    <URI>Microsoft\Windows\SystemRestore\SR</URI>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger id="SRCalendarTrigger">
      <StartBoundary>2005-06-14T09:00:00</StartBoundary>
      <ExecutionTimeLimit>PT2H</ExecutionTimeLimit>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
    <CalendarTrigger>
      <StartBoundary>2016-05-04T12:30:00</StartBoundary>
      <ExecutionTimeLimit>PT4H</ExecutionTimeLimit>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
    <CalendarTrigger>
      <StartBoundary>2016-05-04T17:00:00</StartBoundary>
      <ExecutionTimeLimit>PT12H</ExecutionTimeLimit>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="LocalSystem">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>false</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="LocalSystem">
    <Exec>
      <Command>%windir%\system32\rundll32.exe</Command>
      <Arguments>/d srrstr.dll,ExecuteScheduledSPPCreation</Arguments>
    </Exec>
  </Actions>
</Task>

Edited by Letouane, 09 February 2017 - 01:40 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 09 February 2017 - 01:32 PM

Good thing you tried both ways then. I always recommend trying multiple solutions including data recovery tools which sometimes works too.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users