Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ODCODC Ransomware (.odcodc) Help & Support - readthis.txt


  • Please log in to reply
37 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 23 May 2016 - 11:58 AM

A new ransomware was discovered that encrypts files and appends the extension ".odcodc" and an email address to the filename. The format is "C-email-<email_address>-<original_filename>.odcodc".

 

An example encrypted file may be renamed to "C-email-abennaki@india.com-Chrysanthemum.jpg.odcodc".

 

The ransom note left is called "readthis.txt" in each encrypted folder, with the following contents.

 

 

Your personal files are encrypted!

 
What happened to your files?
All of your files were protected by a strong encryption with RSA-2048. https://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you cant restore them.
 
What to do?
We can recover your files. You can trust us, for proof of this we can decrypt some your files for free.
 
How to contact you?
Write us to email: abennaki@india.com
 
 
Ваши персональные файлы зашифрованы!
 
Что случилось с файлами?
Все ваши файлы зашищены криптостойким алгоритмом RSA-2048. https://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
Что это значит?
Это значит, что структура и содержимое ваших файлов потерпили необратиме изменения, вы не можете с ними работать, читать или видеть, это тоже самое, что потерять их бесповоротно, но, с нашей помощью, вы можете их все восстановить.
 
Что мне делать?
Мы можем полностью восстановить доступ к вашим файлам. Вы можете нам доверять, доказать честность и серьезность наших намерений мы можем бесплатной расшифровкой нескольких файлов.
 
Как с вами связаться?
Напишите нам на почту: abennaki@india.com
Your PCID:: WIN-F9KR5MHB5C0706219416
 
Analysis is still under way, but early signs show there may be a way to help victims.

Edited by Demonslay335, 23 May 2016 - 11:58 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 23 May 2016 - 12:10 PM

Demonslay335

Ransom note just goes in two languages - English and Russian?

 

Some confusion. Abenaki, India and Russian text. What did not come up with in order to get a ransom. :)


Edited by Amigo-A, 23 May 2016 - 12:18 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 23 May 2016 - 12:32 PM

Based on IDR submissions, it appears to be Russian.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 23 May 2016 - 01:08 PM

На основании представленных материалов IDR, это, кажется, русский.

Yes, that is Russian but only 90%

But no Russian does not write::

"потерпили необратиме изменения"

"Потерять их бесповоротно"

Even Google can not translate what is written here. Never!
It's kind of a awry-Russian.

If I use such turns of speech in Russian language, people will tell me "he get drunk" or "went to the roof."  :crazy:


Edited by Amigo-A, 24 May 2016 - 07:24 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#5 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 24 May 2016 - 05:36 AM

There are also cases when the note was written only in English + email transcript@india.com


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#6 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 24 May 2016 - 07:23 AM

9864400m.png

 

Demonslay335

Creators ODCODC Ransomware - Ukrainians. They use mixed words - Russian and Ukrainian . One of the words - see the picture.


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#7 Ratatosk

Ratatosk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 24 May 2016 - 11:43 AM

I have the ransom-note, exe-files of ransomware and encrypted files. Where to upload?



#8 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 24 May 2016 - 12:50 PM

You can upload them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

We do have a sample that is under analysis right now.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 31 May 2016 - 08:48 AM

Demonslay335, 

There is new information about ODCODC? 


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#10 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 31 May 2016 - 09:40 AM

It is decryptable based on analysis, just still working out the full algorithm to build a decrypter. We've just been thrown so many new ransomwares lately. :/

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 31 May 2016 - 12:13 PM

I understand. I have a blog on the ransomware.
What advise to Ratatosk? He came from me.
Make it a backup of infected files?

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#12 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 31 May 2016 - 01:15 PM

A full backup of the encrypted files should be sufficient, but I would recommend a full image backup to be safe. I don't have the full break-down of the algorithm yet, I'm working with another analyst who is actually deciphering the assembly code.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 31 May 2016 - 02:33 PM

Set ISO-image can in program WinCDEmu.
This will help?

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#14 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 03 June 2016 - 04:30 PM

Nyxbone added description about ODCODC: 

http://www.nyxbone.com/malware/odcodc.html


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#15 hejsan1

hejsan1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 29 June 2016 - 09:58 AM

Hello,

 

Any news about this ransomware? Is it decryptable?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users