Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware payment-URL unavailable


  • This topic is locked This topic is locked
3 replies to this topic

#1 hkisting

hkisting

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 08 June 2016 - 03:04 AM

EDIT: Mods please move this. I realize I posted this in the wrong thread.



Hi Guys,

I am new to the forum, but been a long time user of some of the tools from bleeping comp and I must say- they are among the best AV and security related tools.

 

A client of mine from work, had been attacked recently( about 3 weeks ago ) and asked my assistance with this. We could not restore the data(shadow copies were not available and on top of that, the drive was 97% full(!), so Recuva/Testdisk+Photorec wasn't really much help then).  Since it's important data, I have suggested they pay the ransom. Unfortunately, they took more than a week before informing me initially.

 

The problem is- it seems the URL is no longer valid. Below is the ransom note( I've hashed out the id ). If anyone can assist in any way with this, I would really be grateful!

 

 

--

$$*|*_+$
            !!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
    http://en.wikipedia.org/wiki/RSA_(cryptosystem)
    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
    
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
    1. http://25z5g623wpqpdwis.tor2web.org/XXXXXXXXXXXXXXXX
    2. http://25z5g623wpqpdwis.onion.to/XXXXXXXXXXXXXXXX
    3. http://25z5g623wpqpdwis.onion.cab/XXXXXXXXXXXXXXXX

If all of this addresses are not available, follow these steps:
    1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
    2. After a successful installation, run the browser and wait for initialization.
    3. Type in the address bar: 25z5g623wpqpdwis.onion/XXXXXXXXXXXXXXXX
    4. Follow the instructions on the site.

!!! Your personal identification ID: XXXXXXXXXXXXXXXX !!!
|*$-**=_=$~*~-|=_
+-~$$**__+-|~._
_++.*-_---
--


Thank you
Helmuth

Edited by hkisting, 08 June 2016 - 03:09 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,960 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:14 PM

Posted 08 June 2016 - 05:36 AM

What is the actual name of the ransom note? It looks like a Locky ransomware which leaves notes like _Locky_recover_instructions.txt, _HELP_INSTRUCTIONS.txt.

html-ransom-note.png

Are there any file extensions appended to your files?

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with possible identification and confirmation. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 hkisting

hkisting
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 08 June 2016 - 06:59 AM

Thank you for your reply.

It's the .locky ransomware I'm afraid so it's a mess. :(

 

Id Ransomware didn't provide me with a case SHA1 unfortunately. I'm attaching the various files onto this.

I have downloaded the Tor browser and tried to access the url provided, but it's nonexistent(with and without the id). I've also disabled any proxies as well as disabled wccp so as to bypass the proxies.

This is the note(with id removed):

2jx1gAXjOU1D.png

 

 

 

Below is the folder content(this was copied from the infected share via rsync):

 

2jx2JowpmTgY.png

 

 

And finally, id-ransomware results:

 

 

2jx2kMKxT7kh.png

 

 

 

 

Thank you agan.

Helmuth


Edited by hkisting, 08 June 2016 - 07:02 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,960 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:14 PM

Posted 08 June 2016 - 08:23 AM


A repository of all current knowledge regarding Locky Ransomware is provided by Grinler (aka Lawrence Abrams), in this topic: Locky Ransomware Information, Help Guide, and FAQ

Unfortunately, there is no known way to decrypt files encrypted by Locky.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance but as noted above there is no solution to fix your encrypted files.When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users