Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

id-<number>.{masterlock@india.com}.crypt Support & Help Topic


  • Please log in to reply
51 replies to this topic

#1 HereticSin

HereticSin

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 May 2016 - 11:30 AM

Does anyone recognize this encryption type?  I've tried numerous Kaspersky decryption tools, and the ESET "ESETTeslaCryptDecryptor" with no success.  I've been able to track down some of the original files but they are slightly smaller in file size.  Most of the backups that were being made have been infected as well.
 
ESET Detected the infection as "win32/filecoder.nfy" as well.  There was only one file that was created that I can see, on the desktop folder of a different user on this server, named "How to decrypt your files.txt", containing only this: "To decrypt your data write me to masterlock@india.com"
 
Thanks for any info!

masterlock.png

Edited by quietman7, 19 July 2016 - 02:34 PM.


BC AdBot (Login to Remove)

 


m

#2 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 May 2016 - 12:01 PM

I emailed the people anyway, and they just responded with this after about 30 minutes:

 

Hello, dear friend!
We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection.
We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk.
All your files are encrypted and can not be accepted back without our professional help.
Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter.
And so our high-grade and quick service is not free.

Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins.
You should buy bitcoins here https://localbitcoins.com/faq
Read the paragraphs:
1. How to buy Bitcoins?
2. How do I send Bitcoins and how can I pay with Bitcoins after buying them?
The Bitcoin wallet for payment is 12yDGpp82ejLqT6GbE4qAPtCYAKRpksbWd

After the transfer of bitcoins please send email with screenshot of the payment page.
We does not advise you to lose time, because the price will encrese with each passing day.
As proof of our desire and readiness to help you, we can decipher a few of your files for test.
To check this you can upload any 1 encrypted file on web site dropmefiles.com, size no more than 10 MB (only 1 text file or a photo) and send us a download link.
Certainly after payment we guarantee prompt solution of the problem, decrypt the database to return to its former condition and consultation how to secure the rules of the system safety.
Kind regards, Master Lock.

Edited by HereticSin, 24 May 2016 - 12:01 PM.


#3 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 May 2016 - 12:07 PM

I have now uploaded a sample file for them to look at, anyone else who may want to take a look here is the link:

https://dropmefiles.com/nwYwZ



#4 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 May 2016 - 12:26 PM

Well I now have one successfully restored file, but using the "rannohdecryptor.exe" from Kaspersky says they're different file sizes still.



#5 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 May 2016 - 01:19 PM

I've just uploaded that sample file to the Bleeping Computer sample uploader thing



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 24 May 2016 - 04:12 PM

ESET Detected the infection as "win32/filecoder.nfy" as well.  There was only one file that was created that I can see, on the desktop folder of a different user on this server, named "How to decrypt your files.txt", containing only this: "To decrypt your data write me to masterlock@india.com"

Win32/Filecoder.NFY...(aka Troldesh, Shade, Encoder.858) is a crypto malware detection by ESET. According to their research lab, there are several different variants.

Troldesh (Shade) is a crypto-ransomware variant created in Russia that appends encrypted data files with an .XTBL or .YTBL extension to the end of each filename. In later versions, Kaspersky lab advises the malware added the infected computers ID and then the .xtbl extension to the file name like this example...ArSxrr+acw970LFQw.043C17E72A1E91C6AE29.xtbl. According to ESET, the newer variants append an additional .<id-random>.<email>.xtbl extension.

Troldesh leaves files (ransom notes) with names like README1.txt, READEME2...README10.txt and How to decrypt your files.txt.

Do your encrypted files have the .XTBL extension in the file name?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 May 2016 - 04:17 PM

one of the sample files i have is:

CONFIG.SYS.id-<idnumber>.{masterlock@india.com}.crypt

 

i've replaced the id number with <idnumber> just in case

i have not seen any .xblt extensions, only .crypt


Edited by HereticSin, 24 May 2016 - 04:17 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 24 May 2016 - 04:30 PM

Did you submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification?

This may be a new ransomware infection.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 25 May 2016 - 12:00 AM

I've just uploaded that sample file to the Bleeping Computer sample uploader thing

yes i have



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 25 May 2016 - 06:04 AM

Submitting samples to ID Ransomware is different from uploading samples to Bleeping Computer.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:16 AM

Posted 25 May 2016 - 09:58 AM

I do not have a definition for identifying this one yet. I suspect it is part of another kit based on the email address and extension, but haven't looked into it too much.

 

ID Ransomware may currently think it is CryptXXX or Chimera based on the ".crypt", but that is a false-positive in this case. I've had a few submissions in the last day or two from this one.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 25 May 2016 - 11:00 AM

Submitting samples to ID Ransomware is different from uploading samples to Bleeping Computer.

I submitted the file using the "http://www.bleepingcomputer.com/submit-malware.php" website and linked this forum with it.


Edited by HereticSin, 25 May 2016 - 11:00 AM.


#13 HereticSin

HereticSin
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 25 May 2016 - 11:02 AM

To update, i've now paid the hacker and gotten the utility and key from them, and it's decrypting files and working now.  I still have the links and the tools that they gave me if they are any use to anyone.  I plan to write in detail parts of the conversation i had with him, the links and the tools that i used so that others can analyze it.  I do not need it fixed anymore as i've already paid it off but if i can help others i would like to do so.



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:16 AM

Posted 25 May 2016 - 12:11 PM

Sorry to hear you had to resort to paying the ransom.

 

If you can package up the decrypter, the key, a few sample encrypted files, and any suspicious files that may have lead to the infection, you may submit them here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 Frustrated1000

Frustrated1000

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 25 May 2016 - 01:23 PM

We have also had the exact same virus, message and are currently working with hackers to get our files unlocked.  Will post how that goes over the next few hours but hopeful we will get everything back and learn from the experience that daily protected backups need to be a part of any security.  Crazy F$%King world.  We are three weeks into Leukemia treatment for one of our children then this hits.    I hope once we are through this someone can crack this and nobody else has to pay.  N






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users