Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TrueCrypter Ransomware (.enc extension) Help & Support Topic


  • Please log in to reply
4 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:25 AM

Posted 26 April 2016 - 03:42 PM

Another day, another ransomware...

 

Security researcher Jakub Kroustek tweeted today about a new ransomware spotted by the name of TrueCrypter.

 

This ransomware currently encrypts files of the following extensions, and adds ".enc" to the filename. Files on the Desktop, in My Documents, My Music, and My Pictures are prioritized, then files on any other allocated drive letters are encrypted.

 

 

.7z, .7zip, .arw, .as, .asm, .asp, .aspx, .au3, .avi, .bash, .bat, .bmp, .bookmarks, .bsh, .c, .cbr, .cc, .cer, .cfm, .class, .cmd, .config, .cpp, .cr2, .crw, .cs, .csh, .csproj, .csr, .css, .csv, .cxx, .d, .db, .dcr, .dds, .deb, .dib, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .dtd, .eps, .fla, .fpx, .gif, .gif, .gz, .gzip, .h, .hpp, .hta, .htm, .html, .hxx, .ico, .inc, .inc, .index.ini, .jad, .java, .jfif, .jpe, .jpeg, .jpg, .js, .jsm, .json, .jsp, .jss, .jsx, .kix, .lex, .litcofee, .lpr, .lua, .m, .mov, .mp3, .mp4, .mrw, .msg, .mx, .nef, .ods, .odt, .odt, .org, .p, .pages, .pas, .pcd, .pdf, .pdn, .php, .php3, .php4, .php5, .phps, .phpt, .phtml, .pkg, .pl, .pm, .pmx, .png, .pot, .potm, .potx, .pp, .ppam, .ppsm, .ppsx, .pptm, .pptx, .prproj, .ps, .ps1, .psd, .psm1, .ptx, .pwi, .py, .pyc, .pyw, .r, .raf, .rar, .raw, .rb, .rbw, .rc, .reg, .resx, .rpm, .rss, .rtf, .rtf, .rw2, .s, .scpt, .sh, .sh, .shtml, .sitx, .sldm, .sldx, .sln, .splus, .sql, .sqlite, .sqlite3, .src, .swift, .sxc, .tar, .tar.gz, .tga, .tga, .thmx, .tif, .tiff, .ts, .tsv, .tsx, .txt, .vb, .vbs, .vcxproj, .veg, .wmw, .wpd, .wps, .xcodeproj, .xht, .xhtm, .xhtml, .xls, .xlsx, .xml, .zip, .zipx, pps, ppt, xlam, xlsb, xlsm, xltm, xltx

 

 

In addition to accepting BitCoin ransoms (0.2BTC), the criminals also accept Amazon Gift Cards for $115 USD.

 

This ransomware does delete shadow copies, has a bypass for UAC, and some anti-sandbox techniques to mitigate some automated analysis.

 

Files are encrypted using AES-256, with a cryptographically-strong unique key generated for each individual file. This key is stored at the end of the file, and protected by RSA-2096 using a public key that is acquired from a central server controlled by the criminals.

 

The victim's background will be set to the following image.

 

Cg-1d4eXEAAsEa6.jpg

 

A list of encrypted files is stored in %APPDATA%\Microsoft\TrueCrypter\Encrypted.dat. This directory also stores a copy of the malicious executable that is set to run on startup, and a TrueCrypter.xml file with settings such as the public RSA key, whether encryption was completed, and whether the key was submitted to the criminal's server. This allows the ransomware to load up these values on startup.

 

If the victim pays, the program will automatically start decrypting files on its own.

 

At this time, there is no way to decrypt files for free. Analysis is still on-going, and any more information will be posted here.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 lilipower

lilipower

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 21 September 2016 - 07:27 AM

is there more information ? My pc is infected

 

please help!!


Edited by lilipower, 21 September 2016 - 07:29 AM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:25 AM

Posted 21 September 2016 - 08:23 AM

is there more information ? My pc is infected

 

please help!!

 

We will need more information in order to help. This particular ransomware has had no flaws found. Are you use it was this one, do you have the same background set? Other, more prevalent, ransomware also use the ".enc" extension, including Crypt0L0cker/TorrentLocker.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 lilipower

lilipower

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 21 September 2016 - 08:44 AM

Sorry, all my files are locked with .enc and this one are be encrypted with Crypt0L0cker

 

i hope that you can help me



#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:25 AM

Posted 21 September 2016 - 09:53 AM

Sorry, all my files are locked with .enc and this one are be encrypted with Crypt0L0cker

 

i hope that you can help me

 

Support for Cryt0L0cker has it's own topic. TL;DR, contact Dr. Web, they may be able to help you.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users