Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RansomNoteCleaner - Remove Ransom Notes Left Behind


  • Please log in to reply
58 replies to this topic

#31 vilhavekktesla

vilhavekktesla

  • Members
  • 917 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:04 PM

Posted 30 July 2016 - 03:15 AM

Deep learning is one of your best experiences. Remember backups, and you can continue exploring. It is this knowledge that lead to the cleaner. When so many ransomwares are reported to id-ransomware the details about all is revailed and. These two programs / services work together identifying and cleaning up the mess.

 

A simple backup before the attack would be better, but since noone learns before a case has happened, this is a good tool to clean up.

And as said above, most of the info on BC is trustworthy, if there is some posted that is not trustworthy I'm sure one of the users or moderators wil fix it pretty soon.

 

It is good to be cautios, and one way to keep up the cautioness attitude is to read all posts in the topic, very often an answer to your issue can be found.

 

Good luck with your issues and feel free to ask for help if yoiu need any.

 

Regards


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0 or newer (if needed)

The master key is released so there is no need to pay to get the key.

More than 200 different ransomwares exist so think safe backups at all time.


BC AdBot (Login to Remove)

 


#32 vilhavekktesla

vilhavekktesla

  • Members
  • 917 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:04 PM

Posted 05 August 2016 - 01:57 AM

Hi deamonslay, I have asked before and now I have a case where this uncertainty about who did what.

Different ransom notes different content. some copy cats other the original encryptor.

 

Maybe this belong in ID-ransomware topic or in PM

 

- Nov 2015: .ccc _how_recover_ivu.HTML (confirmed by me) Unknown by ID ransomware

- Late Feb 2016 - Late March and also some in April _RECOVERY_+dlllx.html (those 5 random characters)

- _RECOVERY_+nhpmw.html (content about AES not RSA 4096)

  I thought Tesla claimed RSA and not AES

- Early April 2016 {RecOveR}-xrarh__.Txt (content RSA 4096) could be Tesla or something else Also 5 random but a .Txt and .Png shares the same random characters

  Also not the cases of the extension

- Early April  de_crypt_readme.txt (confirmed it was encrypted with Tesla v4) but the text content is again mentioning RSA4096 so it looks one Tesla v3-4.1 targeted the file

  and used this help file (ransom note)

- Early april. how_recover+ock.txt.crypt A ransom note from .ccc attack in Nov encrypted with .crypt. (Confirmed the Cryptxxx)

- Early april.howto_recover_file_pgrrx.txt.crypt (probably the same as above)

 

Anyway I have all the files where I refer to the cases above.

I think the service ID-ransomware has to many false positives (hard to do it different) I know, but maybe those above mentioned files can be ompened and the content examined

I can therefore send you the samples if you like.

 

My question my case.

 

Are you able to mention all notes names, recovery nems for

 

.ccc encryptions

Tesla v3 - Tesla v4.1 including the v4a

and the original Cryptxxx

 

Based on time stamps I think I identified in the case I'm working on the following.

 

Nov .ccc

Feb Tesla v3late or v4 early

March Tesla v3late or v4 early

Late March v4 later

April .crypt (Cryptxxx)

 

For the user it is hard to find the key to the .crypt files since apparently no before and after files exists.

unless I can find one file that only .crypt targeted and that the user had a copy of from before the April attack.

 

All others are decryptable when the "currently" decryptable .crypt is decrypted. For any other cases this would be easy, but not when multi encryptin has happened

and no valid samples are found (as of yet)

 

Any advices, you can use PM if you like and maybe the ID-service can be improved even more.

I have 13 MB samples and 75 files, ransom notes howtos etc with different names and content...

I cannot confirm all, since it is a mixture on this case, however I was able to conclude to some extent.

See above my "claims"

 

Link is here to my analysis: https://www.sendspace.com/filegroup/X373y8ZdZZ4gnxhsuwLMOAR

 

Regards, and keep up the great work you do.


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0 or newer (if needed)

The master key is released so there is no need to pay to get the key.

More than 200 different ransomwares exist so think safe backups at all time.


#33 Geoffc

Geoffc

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warragul, Australia
  • Local time:11:04 PM

Posted 17 August 2016 - 04:16 PM

Good idea.

Have an issue at start, though.

Ticking CryptoLocker, I see an error window as follows:

Unhandled exceptionhas occurred in your application. etc. etc.

Method not found: 'Int 32

System Environment. get_CurrentManagedThreadID'.

Then Continue button loops between Select window and error window. 

 

I'm wondering if a clean reboot may be more appropriate.



#34 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:04 AM

Posted 17 August 2016 - 04:20 PM

Good idea.

Have an issue at start, though.

Ticking CryptoLocker, I see an error window as follows:

Unhandled exceptionhas occurred in your application. etc. etc.

Method not found: 'Int 32

System Environment. get_CurrentManagedThreadID'.

Then Continue button loops between Select window and error window. 

 

I'm wondering if a clean reboot may be more appropriate.

 

That would definitely be a bug I haven't seem before. Can you share the RansomNoteCleaner-log.txt file with me? You can share it via SendSpace.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#35 al1963

al1963

  • Members
  • 809 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 30 August 2016 - 03:28 AM

@Demonslay335,

 

I'm sorry, that is not at the desired topic written about its proposal on this utility.

 

http://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/page-7#entry4074475



#36 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 17,697 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:09:04 AM

Posted 04 September 2016 - 01:59 PM

Looks like Malwarebytes detects and delete RansomNoteCleaner. Reporting it as a FP on their forum right now.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#37 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:04 AM

Posted 04 September 2016 - 04:32 PM

Thanks for doing that and letting us know.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#38 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 17,697 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:09:04 AM

Posted 04 September 2016 - 04:51 PM

It's been fixed in database v2016.09.04.08 2 hours ago by thisisu! :)

https://forums.malwarebytes.org/topic/187908-ransomnotecleaner-detected-as-trojanagentmsil/#comment-1060193

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#39 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:04 AM

Posted 04 September 2016 - 04:55 PM

:thumbup2:
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#40 djbillyd

djbillyd

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 06 September 2016 - 01:30 PM

 

This link got the notes all cleaned out. I hope it cleaned some more stuff too. Working around the "Defender" was nauseous, but well worth it. Shout out to you bra....!!!!



#41 cybercynic

cybercynic

  • Members
  • 549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:04 AM

Posted 08 September 2016 - 02:04 PM

It just cleans out the ransom notes. For other debris run Malwarebytes / Hitman Pro / Emsisoft.


We are drowning in information - and starving for wisdom.


#42 sammielea

sammielea

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 13 September 2016 - 09:01 AM

Just used this awesome tool to clean out the crap left behind after an infection....just an FYI, ControlNow (Vipre engine) is picking ransom remote cleaner as nasty and delets...needed to first uninstall vipre to run it :)
Thank you @Demonslay335 for this tool



#43 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:04 AM

Posted 13 September 2016 - 03:20 PM

It's not the first such report.

Certain embedded files that are part of legitimate programs and specialized fix tools (like RansomNoteCleaner), may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored.

Most of the well known specialized tools we use against malware are written by experts/Security Colleagues at various security forums like Bleeping Computer, TechSupport, GeeksToGo, Emsisoft and other similar sites so they can be trusted...this includes any program hosted by BC for download. Unfortunately, many of these tools are falsely detected by various anti-virus programs from time to time for the reasons noted above. This in turn sometimes results in an inaccurate site rating/warning of potentially dangerous software when that is not the case.

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with the tools themselves. We can inform the developers but they have encountered this issue many times before and in most cases there isn't much they can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.

Either have your anti-virus ignore the detection or temporarily disable it until you download and run the tool.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#44 mancat123

mancat123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 03 November 2016 - 03:55 AM

I have cleaned all Unblockupc ransom notes with this tool.

If I search all ransom notes with this tool it finds like 12 AutoLocky notes, 109 CrypMic notes, and notes from 7 others malware notes, but when I check files they are normal Readme.txt, info.txt,... files.

Yesterday I created RegBackup and now this tool tells me that created backup_info.txt is AutoLocky ransom note.



#45 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:04 AM

Posted 03 November 2016 - 08:31 AM

Thanks for the feedback. RansomNoteCleaner is fed regular expressions from the ID Ransomware engine, and those particular ransomwares do have very generic ransom note names, so they do tend to trigger false-positives. This is the main reason I made the screen for confirming the files to delete.

 

I'll see if I can limit the regex scope more to not pickup on the backup_info.txt, that definitely should not happen (the rule for AutoLocky is to match simply "info.txt"). 


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users