Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remind Ransomware Support and Help Topic (.remind)


  • Please log in to reply
13 replies to this topic

#1 MasterNe0

MasterNe0

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 20 April 2016 - 02:56 PM

Yesterday we had a client called. We checked and saw they got hit with a ransomware (all network files were renamed to .remind).
 
has anyone heard of this ransomware or is this new? we are currently recovering from backups of the files but want to find our more about this.
Email in the txt file decypt_your_files.html is "unransom@me.com"
 
We also had a issue where it looks like whoever or whatever created this ransomware was able to hijack our clients PC and then from that 1 PC was able to remote into other desktops in the office.
 
This is a first I ever seen a ransomware or a virus take over another desktop from 1 PC (they remote or logged into the patient zero desktop, machine infects all files + server with .remind encrypt and then using RDP remoted into another desktop in the office which had a simple password and kept logging into that machine until we reset the password).
 
here is a link of the screenshot of the .html file: http://imgur.com/gV6i5SN

Edited by quietman7, 05 June 2016 - 04:40 PM.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 AM

Posted 20 April 2016 - 03:34 PM

Looks new, haven't seen one with that ransom note or extension before.

 

Can you locate any malicious files? We may need the malware itself to analyze. You can submit samples, as well as a before/after file if you can, here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Manual hacks and criminals moving laterally to deploy ransomware has been around for a bit. For example, Samas Ransomware was spread this way by exploiting a server, then using tools to compromise further systems on the network by discovery and pushing out over Group Policy.


Edited by Demonslay335, 20 April 2016 - 03:39 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:56 AM

Posted 20 April 2016 - 04:04 PM

These are some common locations malicious executables related to ransomware infections may be found:
%Temp%
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
C:\<random>\<random>.exe
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 MasterNe0

MasterNe0
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 22 April 2016 - 10:24 AM

I am unable to provide a copy of the infected files or original due to the files being sensitive data from a law firm.



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 AM

Posted 22 April 2016 - 10:27 AM

That's fine, we more-so need the malware itself. We can run it ourselves (in a controlled environment) to create sample encrypted files once we have the malicious executable.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 AM

Posted 15 May 2016 - 01:12 PM

We are still looking for a sample of this malware, but early signs suggest we may be able to help. Is there any chance you would be able to supply a small encrypted PNG file (*png.remind)? It can simply be an icon or something from a program or temp files, doesn't have to be actual data.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 johnthepro

johnthepro

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 05 June 2016 - 03:13 PM

Hey guys,

 

Had a client show with symptoms of malware on an SBS 2011 machine. The compromise seems to be isolated to the server, and MBAM seems to not detect any malicious content left. Perhaps the attacker was able to remote into the machine, run his compromiser, and then remove it?

 

I'm still left with encrypted files, baring a .ransom extension. I'm hoping there's a decrypt tool out there. The note is nearly identical to the ransomware mentioned in this post: http://www.bleepingcomputer.com/forums/t/611740/remind-ransomware/

 

I can provide samples of the encrypted files, and am willing to execute the steps you recommend as you do it.

 

Thanks,

John

 

 

 

 



#8 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:11:56 AM

Posted 05 June 2016 - 03:52 PM

go here to Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data

 

https://id-ransomware.malwarehunterteam.com/

 

post results here


Edited by TheTripleDeuce, 05 June 2016 - 04:01 PM.


#9 johnthepro

johnthepro

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 05 June 2016 - 04:13 PM

Here's what they gave me:

 

2 Results

RemindMe
This ransomware is still under analysis.

Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation.

Identified by

  • ransomnote_filename: DECRYPT_YOUR_FILES.HTML

 

Click here for more information about RemindMe
Sanction
This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future

 


Edited by johnthepro, 05 June 2016 - 04:16 PM.


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 AM

Posted 05 June 2016 - 04:18 PM

I've been hunting for a sample of RemindMe without much success. If the ransom note is the same, it may be linked. There's suspicions it may be a variant of HiddenTear, which has a chance at cracking; there are some alterations the authors may have made though that I need to know about before trying to make a decrypter if that's the case.

If you can search your system thoroughly for the malware, it will be needed for analysis.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:56 AM

Posted 05 June 2016 - 04:29 PM

The topic has been merged with the existing discussion topic to avoid confusion and make it easier for analysis.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 johnthepro

johnthepro

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 05 June 2016 - 06:27 PM

I've ran MBAM, only thing it detected was HackTool.PasswordStealer.

 

Anything else you'd like me to run? Like I said, system is SBS 2011, and I don't have a backup to pull from to restore files (luckily most of the important content for the business is stored on a NAS by way of mapped drives, and those were not affected (possibly because it's a Buffalo NAS, probably running some *nix variant.)

 

I'm pretty familiar with most malware tools but I don't want to shotgun it and end up cleaning/removing something you could use for analysis.

 

How would you like me to proceed?

 

EDIT: It appears as though the ransomware did not delete/infect Shadow Copies, which means I could provide a pre- and post- copy of some files for analysis as well, but it DOES seem as though it affected some of the Shadow Copies that exist, so some things, like SYSVOL, have encrypted files in them even though they are dated from before the encryption occurred.


Edited by johnthepro, 05 June 2016 - 06:29 PM.


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 AM

Posted 06 June 2016 - 12:12 AM

I'm interested in that password stealer - a few recent ransomware have included "extra features" that AV might pick up on (as opposed to outright flagging the ransomware part). I would also recommend scans with HitmanPro and MalwareBytes Anti-Rootkit - both allow detection without automatic removal.

You can provide a before/after as well, might help in confirming if the encryption is something simple. A PNG and something plaintext (like TXT or CSV) help if possible.

You may submit suspicious files here: https://www.bleepingcomputer.com/submit-malware.php?channel=168

Edited by Demonslay335, 06 June 2016 - 12:14 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 AM

Posted 22 June 2016 - 11:28 AM

I have a beta decrypter I believe should work for this ransomware, if victims can please contact me for beta testing.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users