Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Ransomware infection of computer. Please help!


  • Please log in to reply
8 replies to this topic

#1 verschnupft

verschnupft

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 14 May 2016 - 07:09 AM

My computer got infected by a unknown ransomware. It came along with an application document, which was in ththis moment unfortunately reasonable, because I have a small business and I had annopunced job offers.

 

A .zip archive was attached to the email, which I checked before with my avira anti-virus-scanner, that didn't recognized a threat. After opening the archive a window appeared with the following message:

 

ATTENTION 
All important files and information on this comuter (documents, databases, etc.) will be decrypted using a RSA cryptographic algorithm
 
  Without special software decoding a single file with the help of the most powerful computers will take about a 20 years.: 
 
__________________________________________
contact an expert  on e-mail: xorthelp@yandex.ru .
.
.

 

Almost all files were modified and had a new extension ([old file name including old extension].xort)

 

I wrote an email to the address and got the following answer:

 

Hi
1) Send us please one file "xort.key" (it is located on your computer)
2) Pay 1.3 bitcoin ~ 500 usd address "1KiQy1yy7u61pruDZkiNPuqExX1Zhn7VkA" (bitcoin can buy bitcoin.de or localbitcoins.com or etc..)
3) After payment we will send to your e-mail decryptor

 

I am using the computer for business, so I would appreciate qualified help. 

Does anybody know this ransomware and knows how to restore the modified files and get rid of the software?

 

Thanks in advance to the community.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:33 PM

Posted 14 May 2016 - 07:36 AM

I've seen some submissions for this one a few times before. I take it all of your files have ".xort" appended to them? I haven't found a whole lot of reliable sources on this one (stupid SpyHunter junk sites...), so I will look into it some more. Don't think it's terribly new, just maybe not in my radar much.

Do you still have that zip that infected you? May need it for analysis.

Try a few recover programs such as ShadowExplorer, Recuva, and PhotoRec. Could get lucky, worthy a try.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 DB2105

DB2105

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 15 May 2016 - 05:05 PM

Hello,

 

i have the same ransomware on my system. Someone send an email to us with a zip-attachment. Inside the zip is a .js (Java-Script) file. The ransomware encrypted personal files, even on our network drive. We got the same message as above.

 

i have collected the following things:

 

-virus attachment

-encrypted files

-original files

-files from infected pc (xort.key, etc)

 

Link

 

Password: kaspersky

thank you in advance:)


Edited by DB2105, 15 May 2016 - 05:08 PM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:33 PM

Posted 15 May 2016 - 05:43 PM

Thanks. I actually forgot Fabian had assessed this one awhile ago, and I took a look as well (re-analyzed a sample last night to confirm its the same thing). It drops a batch file that uses the program GPG to encrypt files using a public RSA-1024 key. There is unfortunately no way to decrypt the files without the criminal's private key. Afraid restoring from backups or trying recovery software is the only way.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:33 PM

Posted 16 May 2016 - 06:21 AM

Gnu Privacy Guard (GPG) is a symmetric-key encryption (block cipher based encryption) which uses the same key for both the encryption and decryption stages.

Symmetric key algorithm encryption
Symmetric key cryptography
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 PM

Posted 16 May 2016 - 07:14 AM

GPG is a programme, not an encryption. It implements a standard called OpenPGP and that includes symmetric encryption as well as asymmetric encryption.

 

See also:

The GNU Privacy Guard

Pretty Good Privacy

 

800px-PGP_diagram.svg.png

 

This Batch ransomware that appends .xort, .vault or .trun is called VaultCrypt or CrypVault (depening on the antivirus comany that you ask) and the way it performs the encryption with GPG is flawless. It also deletes shadow volume copies and uses sdelete to make file unrecoverable by any file recovery software.

 

There is a pretty good article of this ransomware by Symantec from a year ago: http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

Not much has been changed since except for the file extensions.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:33 PM

Posted 16 May 2016 - 07:56 AM

Yes it is software. Not sure how I managed to add the word encryption in the description. I need another cup of coffee.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:33 PM

Posted 16 May 2016 - 01:34 PM

You are doing a truck load of work every day, quiteman7. Some rest and a coffee are well-deserved.



#9 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 17 May 2016 - 10:06 PM

Hello,

 

i have the same ransomware on my system. Someone send an email to us with a zip-attachment. Inside the zip is a .js (Java-Script) file. The ransomware encrypted personal files, even on our network drive. We got the same message as above.

 

i have collected the following things:

 

-virus attachment

-encrypted files

-original files

-files from infected pc (xort.key, etc)

 

Link

 

Password: kaspersky

thank you in advance:)

gpg: encrypted with RSA key, ID 75C811AE
gpg: decryption failed: secret key not available

File: E:\deshifr\files_encode\xort\1\montest.doc.xort
Time: 18.05.2016 10:06:02 (18.05.2016 3:06:02 UTC)

------------

master key:

gpg: encrypted with RSA key, ID 507B6FFD
gpg: decryption failed: secret key not available

File: E:\deshifr\files_encode\researche\Files\Files from infected PC\Desktop\00088.KEY
Time: 18.05.2016 10:12:48 (18.05.2016 3:12:48 UTC)

--------------

gpg: encrypted with RSA key, ID 507B6FFD
gpg: decryption failed: secret key not available

File: E:\deshifr\files_encode\researche\Files\Files from infected PC\Appdata-Roaming\CONFIRMATION.KEY
Time: 18.05.2016 10:14:26 (18.05.2016 3:14:26 UTC)

---------------------

likely to grow away legs

 

http://www.bleepingcomputer.com/news/security/xrtn-ransomware-uses-batch-files-to-encrypt-your-data/

 

 

even the name key have not changed. It remained Cellar

21ea5b0df04d.jpg


 


Edited by al1963, 18 May 2016 - 01:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users