Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brazillian (.lock) Ransomware Help & Support Topic - MENSAGEM.txt


  • Please log in to reply
7 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 PM

Posted 06 April 2016 - 11:02 AM

A smaller ransomware was spotted targeting Brazilian victims in the recent months. Based on HiddenTear Offline, this ransomware is most likely administered manually, possibly by a fake Adobe Flash Player update. Thanks to @JAMESWT_MHT and @nyxbone for samples and pointing this one out.
 
All files will be encrypted with AES-256, and the extension ".lock" added. The ransom note "MENSAGEM.txt" will be saved to the desktop, with the following contents.
 
TODOS OS SEUS ARQUIVOS FORAM BLOQUEADOS !
PARA DESBLOQUEAR SUAS INFORMAÇÕES, ACESSE O LINK: http://is.gd/comunicado1

ou http://is.gd/comunicado2

ou http://is.gd/comunicado3
Translated by Google Translate:
ALL YOUR FILES WERE LOCKED!
TO UNLOCK YOUR INFORMATION, VISIT THE LINK: http://is.gd/comunicado1

or http://is.gd/comunicado2

or http://is.gd/comunicado3 
The links simply go to Pastebin pages with instructions for purchasing Bitcoin and contacting the author. At this time, the Bitcoin wallet thankfully shows no transactions by victims.
 
The victim's background will be changed to the following image on Imgurl.
 
C8GwYiOl.jpg
 
 
The following file types are targeted.
.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml
At this time, it is possible to decrypt files by this ransomware. It may be possible the key is still left on the system in "C:\Users\Username\win.txt" or "text.txt" if found in the same directory as the malicious executable.
 
Otherwise, if you have been affected by this ransomware, you may try my HiddenTear Bruteforcer to obtain your key, and the HiddenTear Decrypter to then decrypt files. Feel free to post here for assistance if needed with running these tools.

Edited by Grinler, 28 July 2016 - 10:00 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 realist88

realist88

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 13 May 2016 - 06:46 AM

Hi i have affected by this ransomware. please update links hidden-tear-bruteforcer.exe and hidden-tear-decrypter.exe



#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 PM

Posted 13 May 2016 - 08:10 AM

Were you able to find one of the text files mentioned?

 

Here are updated links to the tools (my personal Dropbox got rather popular :P).

 

HiddenTear BruteForcer

HiddenTear Decrypter

 

Let me know how it goes. You'll need to run the bruteforcer on a small PNG file, preferably under 1KB. Let me know how it goes, I haven't visited the proof-of-concept algorithm in awhile.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 realist88

realist88

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 18 May 2016 - 09:06 AM

hi bruteforcer not worked to me it is still running attempts:1271281 . is there another way to decrypt .lock file 



#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 PM

Posted 18 May 2016 - 09:18 AM

Try downloading the bruteforcer from the link again, I've updated the tool recently with a possible fix for this one (fixed the proof-of-concept code I mentioned). Make sure it is v1.1.3.0.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 orsydion

orsydion

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 11 November 2016 - 04:12 PM

Hi, I don't have any locked png file. How can I find a password with your tools? ex. LIST PRZEWOZOWY.docx.id-240821B0.{funa@india.com}.lock



#7 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 PM

Posted 11 November 2016 - 06:43 PM

Hi, I don't have any locked png file. How can I find a password with your tools? ex. LIST PRZEWOZOWY.docx.id-240821B0.{funa@india.com}.lock

 

Your file was not encrypted by this ransomware. It was not distributed much, and had the ransom message shown in the above post. If you did not have that ransom note and wallpaper shown, you are NOT dealing with this ransomware variant.

 

Based on the file pattern, it is most likely a variant of CrySiS, which cannot be decrypted.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 26 November 2016 - 06:35 AM

Hi, I don't have any locked png file. How can I find a password with your tools? ex. LIST PRZEWOZOWY.docx.id-240821B0.{funa@india.com}.lock

add one encrypted file on http://sendspace.com and give a link to the file in your message

check the decryption in the ESETcrysis decrypter

 

[2016.11.26 17:43:34.277] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Crysis decryptor
[2016.11.26 17:43:34.279] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 2.0.1.0
[2016.11.26 17:43:34.280] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Nov 25 2016
[2016.11.26 17:43:34.287] - INFO: Supported Crysis file extensions: .xtbl, .crysis, .crypt, .lock






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users