Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.777 Ransomware Help & Support Topic(.777 Extension)


  • Please log in to reply
91 replies to this topic

#1 werries87

werries87

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 15 May 2016 - 05:53 AM

Hi There

I have a new form of ransomware. it renamed all my files to an email address and a .777 extention. No ransomware notes were left. For example 20160310 AEDO FILE 12H04.xls._13-05-2016-06-09-42_$ninja.gaiver@aol.com$.777

any suggestions?

 

------------------------------

 
Thankfully, Fabian Wosar of Emsisoft has been able to devise a way to decrypt files encrypted by this family:
 

https://decrypter.emsisoft.com/777
 
As a general rule I don't accept any donations for my work. If you feel thankful and want to throw some money at something, I suggest investing into a proper backup solution. Personally I am using CrashPlan. However, there are a lot of different solutions out there. Pick one that you feel comfortable with. If you are unsure, I am sure the helpful users in this amazing community will love to help you out picking one that fits your needs and requirements. If you want to spend even more money, I am sure the polar bears would appreciate your help. I know one polar bear in particular that would be very thankful.   :wink:


Edited by xXToffeeXx, 19 May 2016 - 02:40 PM.
Added decrypter info~


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:25 AM

Posted 15 May 2016 - 06:30 AM

As Grinler advised in this BC News article...Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 werries87

werries87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 15 May 2016 - 06:40 AM

Thanks. I have submitted the file. I could only submit one but I do have both original and encrypted files.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:25 AM

Posted 15 May 2016 - 06:59 AM

Ok.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 AM

Posted 15 May 2016 - 10:37 AM

We will need a sample of the malware itself to analyze. I suspect this is part of a kit based on the format of the files, and different email addresses in the ransom note. I've seen a few different ones submitted to ID Ransomware in the last few days.

We're on the hunt for this one.

https://twitter.com/demonslay335/status/731591837383720960?s=09

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 werries87

werries87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 15 May 2016 - 10:50 AM

Will do a scan on the server before I do a restore and see what I get.



#7 werries87

werries87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 15 May 2016 - 10:53 AM

Funny thing is that I did not get any ransom notes and it seems as if the encryption was interrupted in some way. As soon as the client notified me I did a complete shutdown. @demonslay355 I can give you access to the my server via team viewer if you would like to have a look.



#8 werries87

werries87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 16 May 2016 - 03:52 AM

Second server got hit by the .777 ransomware.



#9 jun2016

jun2016

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 16 May 2016 - 09:18 AM

Hi, 

 

Our Server have been hit also with this .777 Ransomware, our Management is now freaking out as Our Accounting Server has been hit as well as the latest back-up , Out Management told me to contact them by email they are demanding $1500 here is their demands

http://img4.imagetitan.com/img.php?image=13_ware.jpg


Edited by jun2016, 16 May 2016 - 09:19 AM.


#10 werries87

werries87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 16 May 2016 - 09:33 AM

I have both encrypted and original files. where can I upload them for analyses? Encrypted .txt files become readable after the original has been restored. 



#11 jun2016

jun2016

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 16 May 2016 - 10:42 AM

Hi werries87,

did you get to restore the encrypted file? How?

 

And can you share how this get into your server, This baffles my mind because our infected server only deploys one app our Accounting Software and nobody can access this without login credential and they dont even have a desktop just the application, Nobody is even allowed to inserted a USB Drive in it, it's running Windows Server 2008 Standard, has the latest Kaspersky End-point Security Kaspersky Anti-Virus and it is located on our Server Room, and only two people allowed to enter there, only me and my colleague, the attack happened last weekend as seen on the Backup-log of our Accounting Software, searched the whole Drive and did not also see a Ransom Note.



#12 werries87

werries87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 16 May 2016 - 11:02 AM

Hi Jun

 

Unfortunately it is not decrypted as of yet. I restored the C drive with Shadow copies as that was still in-tacked. The user immediately shut down the server. It is running Windows Server 2008. There is no clear trace on where it came from, at least not server one. On Saturday my second Server got hit. We did not notice it until this morning. All system files were encrypted together with ALL the data. Shadow copies were removed. This hit seems to be an email attachment. I am busy examining the users notebook as we speak. I am busy restoring from backups and that seems to be the only way to get your data back until someone can get a decryption.



#13 werries87

werries87
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 16 May 2016 - 11:16 AM

Hi Jun

 

Unfortunately it is not decrypted as of yet. I restored the C drive with Shadow copies as that was still in-tacked. The user immediately shut down the server. It is running Windows Server 2008. There is no clear trace on where it came from, at least not server one. On Saturday my second Server got hit. We did not notice it until this morning. All system files were encrypted together with ALL the data. Shadow copies were removed. This hit seems to be an email attachment. I am busy examining the users notebook as we speak. I am busy restoring from backups and that seems to be the only way to get your data back until someone can get a decryption.

It also seems once the encryption gets interrupted it stops completely.



#14 jun2016

jun2016

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 16 May 2016 - 11:41 AM

 

Hi Jun

 

Unfortunately it is not decrypted as of yet. I restored the C drive with Shadow copies as that was still in-tacked. The user immediately shut down the server. It is running Windows Server 2008. There is no clear trace on where it came from, at least not server one. On Saturday my second Server got hit. We did not notice it until this morning. All system files were encrypted together with ALL the data. Shadow copies were removed. This hit seems to be an email attachment. I am busy examining the users notebook as we speak. I am busy restoring from backups and that seems to be the only way to get your data back until someone can get a decryption.

It also seems once the encryption gets interrupted it stops completely.

 

 

Hi Werries,

 

Good for you you still have the Shadow Copies,

 

As for our Server, we did not even have a clue what happened as friday am still at the office til 8PM and our Accounting App on server have 2 email notification for Backup Completion, one at Lunch Time (11 AM) and after Office Hours (6PM) both message me a successful backup, we don't have office weekends and monday is non-working holiday. I did see an email Saturday Morning that Backup is not successful this sometimes happens and did not worry because even if the file got corrupted I still have backup on the NAS, but this nasty ransomware even penetrated the mapped drives where my backups are. 



#15 DarioZap

DarioZap

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 16 May 2016 - 02:31 PM

Hello. I also presented me a .777 file

You have news?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users