Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SilentShade BlackShades Ransomware (.silent) Help Topic (Hacked.txt, YourID.txt)


  • Please log in to reply
6 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:34 AM

Posted 02 June 2016 - 12:25 PM

A new ransomware was reported by security researcher Malwareforme that encrypts files using AES-256. Dubbed "SilentShade", but going by the name BlackShades Crypter, it adds the extension ".Silent" to all encrypted files.
 
Victims are left with a ransom note called "Hacked.txt" that is displayed in English and Russian. The ransom is set at $30 USD or 0.07 BTC. The following note may also be displayed.
 
Cj9lgCXUkAA9h0E.jpg
 
 

You have been struck with Black Shades
All of your files were protected by a strong encryption with RSA-4096
 
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
Your files will be enqrypted for your life So Dont Wait so long To Restore your files Because YOU CANNOT!! You Need to Folow One of this Steps >
 
1- send 30$ = 0.0700 Bitcoin to this Account >> 14CcrhERkVWkJoiE15vqhwCG2cKNVENEXb And then contact silentshades@protonmail.com With your ID Details (you will find it at [/Desktop or /Downloads or /Documents] Folder) and confirmation Of your Money transaction
2- Visit This website > http://daftoraytg.com/ and Folow the steps To Decrypt Your files
 
in (96) hours the key to decrypt your files will be Deleted from Our Database
 
# NOTE > (100% you will have your all files Back ) if you will follow the steps 1 or 2
3- After you finshed 1 of your Steps Open the Decrypter Porgram And Restore your all files Wich we will sended to you after Our Deal
 
Why is RSA-4096 dangerous?
After RSA-4096 sneaks into your system, without you even realizing it, it goes to work.
It begins the encryption process and cloaks everything you have stored on your computer. Every file, every photo, every video, music, documents, nothing, is safe.
The infection encrypts everything. You still see it, but you cannot open it. That’s its play. It keeps it right in your reach but doesn’t allow you to access it.
 
==========================================================================================================
Ваш компьютер поражен Black Shades
Все файлы были зашифрованы с сильным шифрованием RSA-4096
Более подробную информацию о даннном типе шифрования с использованием RSA-4096 можно найти здесь: https://ru.wikipedia.org/wiki/RSA
чтобы восстановить ваши файлы вам нужно сделать следующее>
1- отправить 30 $ = 0,0700 Bitcoin на этот Счет >> 14CcrhERkVWkJoiE15vqhwCG2cKNVENEXb, а затем свяжитесь по этому адресу silentshades@protonmail.com
ID Подробности (вы найдете его на [/ Desktop или / Загрузка или / Documents] )
2 Посетите этот сайт>http://daftoraytg.com/  Для дешифрования файлов
В течении(96) часов ключи для расшифровки файлов будут удалены из нашей базы данных
# ПРИМЕЧАНИЕ> (100% вы будете иметь все ваши файлы обратно), если вы выполните 1 или 2 условие!
3- После того как вы сделали то что от вас требуется,  Откройте Decrypter его вы получите на указанном выше сайте. после вам нужно вставить свой id  и порграмма  восстановит все файлы
Почему RSA-4096 опасно?
После того, как RSA-4096 пробирается в вашу систему
начинается процесс шифрования и маскирует все, что вы сохранили на вашем компьютере. Каждый файл, каждая фотография, каждое видео, музыка, документы
вирус шифрует все кроме системных файлов. вы не можете открыть или восстановить ваши данные! Он держит их в вашей досягаемости, но не позволяет получить к ним  доступа

 
 
The ransomware also leaves the files "YourID.txt" and "Ваш идентификатор" with the victim's ID.
 

Dont Remove this File you cannot Recover your file without your id >> Your ID is  >>> 
 
Не удалять этот файл, вы не сможете восстановить файлы без вашего идентификатора >> Ваш идентификатор >>>
[redacted]


 
The following extensions are targeted.
 

.3dm, .3ds, .3fr, .3g2, .3gp, .3gp, .7z, .aac, .AAC, .ach, .ai, .apk, .ar, .arw, .asf, .asp, .asx, .avi, .AVI, .back, .bak, .bay, .bz2, .c, .cdr, .cer, .cpp, .cr2, .crt, .crw, .cs, .cs, .CSS, .csv, .db, .dbf, .dcr, .dds, .der, .des, .dng, .doc, .docm, .docx, .dtd, .dwg, .dxf, .dxg, .eml, .eps, .ert, .fla, .fla, .flac, .flv, .FLV, .fon, .gif, .gz, .h, .hpp, .html, .html, .ico, .iif, .indd, .ini, .ipe, .ipg, .jar, .java, .JNG, .jp2, .jpeg, .jpg, .JPG, .jsp, .kdc, .key, .log, .lua, .lz, .m, .m4a, .m4v, .max, .mda, .mdb, .mdf, .mef, .mhtml, .MKV, .mov, .MP2, .mp3, .mp4, .MP4, .MP4, .mpe, .mpeg, .mpg, .mpg, .mrw, .msg, .myo, .nd, .nef, .nk2, .nrw, .oab, .obi, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .ost, .p12, .p7b, .p7c, .pab, .pas, .PC1, .PC2, .PC3, .pct, .pdb, .pdd, .pdf, .pem, .per, .pfx, .php, .pl, .png, .PNS, .PPJ, .pps, .ppt, .pptm, .pptx, .prf, .ps, .psd, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .raw, .rm, .rss, .rtf, .rw2, .rwl, .rz, .s7z, .sql, .sr2, .srf, .str, .swf, .tar, .text, .txt, .vb, .vob, .wav, .wb2, .wma, .wmv, .wpd, .wps, .x3f, .xhtml, .xlk, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xml, .yuv, .zip, .zipx

 
This ransomware will also delete shadow copies, disable Task Manager, and disable system Restore. It may run itself as "win.exe" and sets itself to run on startup.
 
It is assumed this ransomware may be spread as part of keygen videos, as it has a hard-coded reference of "YouTube".
 
At this time, there is unfortunately no way to decrypt data.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#2 santare

santare

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 02 June 2016 - 06:28 PM

First ransomware as far as I know to encrypt flac files.



#3 Amigo-A

Amigo-A

  • Members
  • 593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:34 AM

Posted 03 June 2016 - 02:50 AM

Demonslay335
 
Russian text in ramsom-note is very incorrect. In some places there is an automatic translation, is also a manual editing of the text, and with error.
From what we can conclude that the authors have poor knowledge of Russian language.

Edited by Amigo-A, 03 June 2016 - 02:50 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:34 AM

Posted 03 June 2016 - 12:22 PM

Demonslay335
 
Russian text in ramsom-note is very incorrect. In some places there is an automatic translation, is also a manual editing of the text, and with error.
From what we can conclude that the authors have poor knowledge of Russian language.


That's useful info. Amigo-A, are you a native Russian speaker?

#5 Amigo-A

Amigo-A

  • Members
  • 593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:34 AM

Posted 03 June 2016 - 12:26 PM

Amigo-A, are you a native Russian speaker? 

 

Yes. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:34 AM

Posted 03 June 2016 - 12:30 PM

OK..thats good to know. Hope you dont mind if I ping you from time to time.

#7 Amigo-A

Amigo-A

  • Members
  • 593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:34 AM

Posted 03 June 2016 - 01:51 PM

OK. I translated 'ID Ransomvare' and Your News about Ransomware in Russian. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users