Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

{RecOver} Ransomware


  • This topic is locked This topic is locked
3 replies to this topic

#1 silumor

silumor

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 11 April 2016 - 10:29 AM

Hi,

I have came across a New Ransomware which

leaves ransom notes with the names of

 

{RecOver}-ayggl_.htm

{RecOver}-ayggl_.Png

{RecOver}-ayggl_.Txt


And these ransom note variations 7 days prior

 

{RecOver}-Inxxh_.htm

{RecOver}-Inxxh_.Png

{RecOver}-Inxxh_.Txt

 

I would like to help warn people about this ransomware. I will make a data backup of the Hard Drive and dev if you

would Pm me for what information I could supply you with. I will post it all here. I will append my first post with all new data.

At First glance this ransomware does not change the file names at all, so files keep their original names.


Edited by silumor, 11 April 2016 - 10:58 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 11 April 2016 - 10:57 AM

This is TeslaCrypt 4.0. It has used that structure of ransom note filenames for a bit now. ID Ransomware in my signature detects it by the ransom note and the hex pattern of the encrypted files. I'm afraid there is no solution at this time.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 silumor

silumor
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 11 April 2016 - 11:06 AM

Thank you. I'll stop posting now then.

I have tracked down load points , unfortunately for this person they are using Windows Vista and only had 2 shadow copies and the encryption started days before the last one so they are SOL.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:20 AM

Posted 11 April 2016 - 03:09 PM


Support for TeslaCrypt 3.0/4.0 is provided in this topic where you can ask questions and seek further assistance but as noted above there is no solution to fix your encrypted files yet.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in the support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users