Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

8lock8 Help & Support Topic (.8lock8) - READ_IT.txt


  • Please log in to reply
3 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:00 AM

Posted 14 May 2016 - 09:25 AM

A new ransomware based on HiddenTear was found that encrypts files with AES-256 and appends ".8lock8" to encrypted files, e.g. "file.jpg.8lock8".

 

Thanks to @DanielGallagher for acquiring a sample for analysis.

 

The file "READ_IT.txt" is added to the desktop, and the root of every drive that was hit. All drive letters are traversed for encrypting files.

Files have been encrypted!Файлы были зашифрованы
It uses cryptographically strong algorithm!Используется криптостойкий алгоритм
contact by e-mail: d1d81238@tuta.io  or d1d81238@india.com 
to identify , use lower hash!для идентификации используйте нижний хэш
[random hash]

Targeted file types are as follows.

 

.asp, .aspx, .avi, .bmp, .csv, .doc, .docx, .htm, .html, .jpg, .mdb, .odt, .pdf, .php, .png, .ppt, .pptx, .rar, .sln, .sql, .txt, .wav, .xls, .xlsx, .xml, .zip, 

 

Analysis is still under way, more details will be released at a later time.

 

This ransomware is decryptable.

 

To decrypt, you must first acquire the key using my HiddenTear Bruteforcer. This requires an encrypted PNG file (*.png.8lock8); the smaller the file, the better. Load the encrypted PNG file, and select "EightLockEight" mode at the bottom. Then, press "Start Bruteforce".

 

https://download.bleepingcomputer.com/demonslay335/hidden-tear-bruteforcer.zip

 

 

t2CRnNT.png

 

mBCuQaS.png

 

Once a key is found, click on the "Click here to check file for success" message to preview the decrypted file. If the file looks OK, then you have the correct key!

 

Once you have the key, copy the key and paste it into my HiddenTear Decrypter, and type the extension of the files (".8lock8"). Select a folder to decrypt, and click "Decrypt My Files".

 

https://download.bleepingcomputer.com/demonslay335/hidden-tear-decrypter.zip

 

 

fteqk6h.png

 

 

Also as a note, if the hash (last line of random letters) in your ransom note ends with "AH33", you can actually skip the use of the bruteforcer and use the password "Whendiplomacyends,Warbegins.1933". This happens if the malware failed to reach the CC server.

 

If you have any problems with these steps, let me know!


Edited by Demonslay335, 14 May 2016 - 11:14 AM.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:07:00 PM

Posted 14 May 2016 - 04:06 PM

Great news!

Thank you, Demonslay335


Edited by Amigo-A, 14 May 2016 - 04:08 PM.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#3 ruibranco

ruibranco

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 16 May 2016 - 12:43 PM

This are great news!!

 

Any chance to get your tool working with Mobef?

 

I think that I read somewhere that was based on HiddenTear as well (but I'm not sure), so any chance to get it working ?

 

My files have the original extension untouched!

 

Once again, great job!



#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:00 AM

Posted 16 May 2016 - 12:58 PM

This are great news!!

 

Any chance to get your tool working with Mobef?

 

I think that I read somewhere that was based on HiddenTear as well (but I'm not sure), so any chance to get it working ?

 

My files have the original extension untouched!

 

Once again, great job!

 

Afraid Mobef is definitely not based on HiddenTear, it's written in Visual C++ from what I can tell. It's above me to break it apart any further currently.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users