.777 Ransomware Help & Support Topic(.777 Extension)

Hi There

I have a new form of ransomware. it renamed all my files to an email address and a .777 extention. No ransomware notes were left. For example 20160310 AEDO FILE 12H04.xls._13-05-2016-06-09-42_$ninja.gaiver@aol.com$.777

any suggestions?

------------------------------

 
Thankfully, Fabian Wosar of Emsisoft has been able to devise a way to decrypt files encrypted by this family:
 

https://decrypter.emsisoft.com/777
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.  

Edited by xXToffeeXx, 19 May 2016 - 02:40 PM.
Added decrypter info~

Thanks. I have submitted the file. I could only submit one but I do have both original and encrypted files.

Will do a scan on the server before I do a restore and see what I get.

Funny thing is that I did not get any ransom notes and it seems as if the encryption was interrupted in some way. As soon as the client notified me I did a complete shutdown. @demonslay355 I can give you access to the my server via team viewer if you would like to have a look.

Second server got hit by the .777 ransomware.

Hi, 

Our Server have been hit also with this .777 Ransomware, our Management is now freaking out as Our Accounting Server has been hit as well as the latest back-up , Out Management told me to contact them by email they are demanding $1500 here is their demands

http://img4.imagetitan.com/img.php?image=13_ware.jpg

Edited by jun2016, 16 May 2016 - 09:19 AM.

I have both encrypted and original files. where can I upload them for analyses? Encrypted .txt files become readable after the original has been restored. 

Hi werries87,

did you get to restore the encrypted file? How?

And can you share how this get into your server, This baffles my mind because our infected server only deploys one app our Accounting Software and nobody can access this without login credential and they dont even have a desktop just the application, Nobody is even allowed to inserted a USB Drive in it, it's running Windows Server 2008 Standard, has the latest Kaspersky End-point Security Kaspersky Anti-Virus and it is located on our Server Room, and only two people allowed to enter there, only me and my colleague, the attack happened last weekend as seen on the Backup-log of our Accounting Software, searched the whole Drive and did not also see a Ransom Note.

Hi Jun

Unfortunately it is not decrypted as of yet. I restored the C drive with Shadow copies as that was still in-tacked. The user immediately shut down the server. It is running Windows Server 2008. There is no clear trace on where it came from, at least not server one. On Saturday my second Server got hit. We did not notice it until this morning. All system files were encrypted together with ALL the data. Shadow copies were removed. This hit seems to be an email attachment. I am busy examining the users notebook as we speak. I am busy restoring from backups and that seems to be the only way to get your data back until someone can get a decryption.

Hi Jun

 

Unfortunately it is not decrypted as of yet. I restored the C drive with Shadow copies as that was still in-tacked. The user immediately shut down the server. It is running Windows Server 2008. There is no clear trace on where it came from, at least not server one. On Saturday my second Server got hit. We did not notice it until this morning. All system files were encrypted together with ALL the data. Shadow copies were removed. This hit seems to be an email attachment. I am busy examining the users notebook as we speak. I am busy restoring from backups and that seems to be the only way to get your data back until someone can get a decryption.

It also seems once the encryption gets interrupted it stops completely.

 

Hi Jun

 

Unfortunately it is not decrypted as of yet. I restored the C drive with Shadow copies as that was still in-tacked. The user immediately shut down the server. It is running Windows Server 2008. There is no clear trace on where it came from, at least not server one. On Saturday my second Server got hit. We did not notice it until this morning. All system files were encrypted together with ALL the data. Shadow copies were removed. This hit seems to be an email attachment. I am busy examining the users notebook as we speak. I am busy restoring from backups and that seems to be the only way to get your data back until someone can get a decryption.

It also seems once the encryption gets interrupted it stops completely.

 

Hi Werries,

Good for you you still have the Shadow Copies,

As for our Server, we did not even have a clue what happened as friday am still at the office til 8PM and our Accounting App on server have 2 email notification for Backup Completion, one at Lunch Time (11 AM) and after Office Hours (6PM) both message me a successful backup, we don't have office weekends and monday is non-working holiday. I did see an email Saturday Morning that Backup is not successful this sometimes happens and did not worry because even if the file got corrupted I still have backup on the NAS, but this nasty ransomware even penetrated the mapped drives where my backups are. 

Hello. I also presented me a .777 file

You have news?