Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New TeslaCrypt variant ?


  • This topic is locked This topic is locked
4 replies to this topic

#1 PNW_Mark

PNW_Mark

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 07 April 2016 - 03:00 PM

One of our users managed to pick up ransomware earlier this week.  MS System Center Endpoint Protection failed to catch it and we are a bit baffled by what we saw:

 

  • The user's files were encrypted, as one would expect
  • But multiple connected file shares were not impacted
  • Typical "you were hacked files" were found in all subdirectories of the user's My Documents but NOT subdirectories in folders on the Desktop
  • All user files in both My Documents and Desktop subdirectories were encrypted 
  • No file extensions were changed
  • The  "you were hacked files" files:
    • {RecOveR}-xmtee__.Txt
    • {RecOveR}-xmtee__.Png
    • {RecOveR}-xmtee__.Htm
       

After extensive web searches we could not find infections that matched our pattern with the rather un-user friendly  "{RecOveR}-xmtee__.*" you were hacked notification files.  Has anyone else seen this?

 

A McAfee scan on the  "you were hacked files" indicated the {RecOveR}-xmtee__.Txt files were infected by the Tescrypt!txt Trojan,

 

Any information would be appreciated.

 

Thanks!

 

-mark 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:13 AM

Posted 07 April 2016 - 03:09 PM

Have you tried ID Ransomware? It should pickup on the hex pattern of an encrypted file, plus the naming pattern of that ransom note. It looks like it is probably TeslaCrypt 4.0 from the information provided. Odd if it didn't hit everything, could be the affected user didn't have permissions or something else goofed it up; consider that part lucky and backup everything you possibly can while you can to be safe.

 

I haven't added that ransom note pattern yet since I haven't confirmed it. If you get a positive on TeslaCrypt 4.0 from an encrypted sample, let me know, and I'll add the ransom note filename to the signatures.


Edited by Demonslay335, 07 April 2016 - 03:12 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 PNW_Mark

PNW_Mark
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 07 April 2016 - 03:17 PM

Demonslay:

 

Good call on checking ID Ransomware.  It picked up the pattern and agreed with you on TeslaCrypt 4.0.

 

The user had full permissions on the fileshares, i'm guessing something just went wrong and the encryption failed (lucky for us).  We have good backups so the user's laptop has already been re-imaged and loaded with a backup from 48 hours earlier, but its good to know what we are dealing with!

 

Thanks. 



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:13 AM

Posted 07 April 2016 - 03:17 PM

Ok, thanks, I saw your's come through and it was confirmed from the hex pattern. Does the ransom note mention RSA 4096, and has three links to Tor websites?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:13 AM

Posted 07 April 2016 - 04:38 PM

The TeslaCrypt 4.0 support topic is here.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in that support topic...including the information about the ransom note and links to Tor websites asked by Demonslay335.

To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users