Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recently hit with ransomware


  • Please log in to reply
7 replies to this topic

#1 krak3n

krak3n

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 April 2016 - 02:15 PM

Hello, 

 

I was recently hit with ransom ware. Could you please help ID it? I've uploaded a few sample files here.

 

Thanks!



BC AdBot (Login to Remove)

 


#2 krak3n

krak3n
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 April 2016 - 02:19 PM

Here is the ransom note:

Attention! All your files are encrypted!
 
To restore your files and access them,
please send 0.5 Bitcoin to adress
194DQmxsSsM4Xp2CozvxatH2WkxA7AnV1f
and email to jana.berg@ausi.com proof
(screen or smth) of your payment.
 
After receiving the money, I will send you
your password and decrypt instruction via email.
 
You have 20 attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
 
Be careful when you enter the code!
 
All the files were changed to EnCiPhErEd.


#3 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:03 AM

Posted 14 April 2016 - 02:20 PM

Based on the ransomnote it looks like Xorist. Do you still have the malicious file that infected your system?


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#4 krak3n

krak3n
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 14 April 2016 - 02:24 PM

Unfortunately I do not. I'm currently in the process of attempting to recover the .exe. Am I out of luck without it?


Edited by krak3n, 14 April 2016 - 02:27 PM.


#5 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:03 AM

Posted 15 April 2016 - 05:53 AM

I found the file that most likely encrypted your files. Any chance you can submit some encrypted files here:

 

http://www.bleepingcomputer.com/submit-malware.php?channel=170


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#6 TechGuru11

TechGuru11

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:03 PM

Posted 02 May 2016 - 10:51 AM

Hello,

 

I am wondering if there is typically a time frame for receiving assistance for variants which are known to be decryptable. The data is very critical to us (sensitive medical data) and we submitted a sample file to the link last Monday. We understand how many inquiries you get and really appreciate all the work you do here on this forum. Thanks in advance for any response. I have uploaded a sample file here as well for your reference: https://www.sendspace.com/file/j6sc6y



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:03 PM

Posted 03 May 2016 - 05:47 AM

...I am wondering if there is typically a time frame for receiving assistance for variants which are known to be decryptable. The data is very critical to us (sensitive medical data) and we submitted a sample file to the link last Monday...

Staff members, Security Colleagues and Security Experts are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community. We have jobs in the real world, families and other commitments which take priority over anything we do here....so we are not logged into the forums every day. This site receives hundreds of requests for help every day. New malware infections are released almost daily and it takes time for our volunteers to investigate before they can try to help anyone. We are grateful for whatever free work our volunteer Security Expert's can dedicate to investigating, analyzing and creating (when possible) fix tools that help so many of our members with malware related problems.

Thanks for understanding.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:03 AM

Posted 03 May 2016 - 07:10 AM

Hello,

 

I am wondering if there is typically a time frame for receiving assistance for variants which are known to be decryptable. The data is very critical to us (sensitive medical data) and we submitted a sample file to the link last Monday. We understand how many inquiries you get and really appreciate all the work you do here on this forum. Thanks in advance for any response. I have uploaded a sample file here as well for your reference: https://www.sendspace.com/file/j6sc6y

The file you uploaded is too small. The ransomware will skip the first few bytes. If you open the file you uploaded in notepad you will see it's not encrypted at all, simply because it was too small. We will require a bigger file as well as the original version of the file. Also, if you do have the actual malware sample that encrypted your files, please provide it as well. If you removed it already, please check the quarantines of the tools you used for the removal process.


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users