Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RansomNoteCleaner - Remove Ransom Notes Left Behind


  • Please log in to reply
58 replies to this topic

#46 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:09 AM

Posted 21 December 2016 - 07:16 PM

Does RansomNoteCleaner delete ransom notes left behind by the Osiris variant of Locky?

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


m

#47 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 21 December 2016 - 07:44 PM

It should since RansomNoteCleaner is powered by ID Ransomware. Demonslay335 constantly updates ID Ransomware with all the latest ransomware variants he can find, all their notes and I believe email/website addresses too.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#48 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:09 AM

Posted 21 December 2016 - 07:46 PM

Then maybe the user I'm working with isn't using it properly. I'll see :P

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#49 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 AM

Posted 22 December 2016 - 09:43 AM

I've used it to clean up notes from a Locky (Osiris variant) on a customer's system myself. The following regex would be used that is pulled from ID Ransomware for that variant.

OSIRIS-([a-z0-9]{4})\.htm
DesktopOSIRIS\.(htm|bmp)

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#50 Majolla

Majolla

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 23 January 2017 - 05:53 AM

Help needed cannot install unzip RansomNoteCleaner. Get error "Unknown method in file" and does not extract.



#51 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 AM

Posted 23 January 2017 - 10:19 AM

Help needed cannot install unzip RansomNoteCleaner. Get error "Unknown method in file" and does not extract.

 

I've fixed it. Windows Explorer couldn't handle the AES encryption on the archive. Try downloading again, password is "false-positive".

 

I've also updated RansomNoteCleaner to v0.9.3.0, which adds support for paths longer than 260 characters.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#52 Majolla

Majolla

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 24 January 2017 - 01:52 AM

Ok I can extract and install but it runs with lots of exception errors and does not advance after selection of ransomware was made.

Ok new download on 24/01 runs fine


Edited by Majolla, 24 January 2017 - 04:54 AM.


#53 Majolla

Majolla

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 24 January 2017 - 02:03 AM

 

Good idea.

Have an issue at start, though.

Ticking CryptoLocker, I see an error window as follows:

Unhandled exceptionhas occurred in your application. etc. etc.

Method not found: 'Int 32

System Environment. get_CurrentManagedThreadID'.

Then Continue button loops between Select window and error window. 

 

I'm wondering if a clean reboot may be more appropriate.

 

That would definitely be a bug I haven't seem before. Can you share the RansomNoteCleaner-log.txt file with me? You can share it via SendSpace.

 

I also have this problem with the latest version, utility now runs on 24/01


Edited by Majolla, 24 January 2017 - 04:55 AM.


#54 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 26 January 2017 - 05:58 AM

Please be patient. Staff members & Security Colleagues like Demonslay335 are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#55 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 AM

Posted 26 January 2017 - 09:33 AM

@Majolla
 

I've been unable to reproduce the issue. Can you give me more details about your system? What OS, and do you know what version of .NET is installed? Can you send me the RansomwareNoteCleaner-log.txt, and any Events in EventViewer about the crash? Feel free to PM these if you feel they shouldn't be posted publicly.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#56 Hidemik

Hidemik

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 26 January 2017 - 05:20 PM

I can suggest a simple solution. Once you identify the ransom note file name (you will probably find one or more per infected folder - either .txt and html or similar), you can open (with administrator's privileges) a prompt window. You will  see a prompt:

C:\WINDOWS\SYSTEM32>

then type CD\ and press ENTER - prompt will become C:\> 

(Assuming for example that ransom notes are named how_to_restore_files.txt and how_to_restore_files.htm), type del /s how_to_restore_files*.* (pay attention to the spaces) and press enter.

In few seconds you will erase all such files from the entire hard drive C:

If you need to clean other drives, simply point to them typing their letter followed by : (ex. for drive D type D:) and repeat command del /s how_to_restore_files*.*

Tested on different Windows OS. Always works. Fast!



#57 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 AM

Posted 26 January 2017 - 05:36 PM

@Hidemik

 

Indeed, that may work for some, but many users do not feel comfortable using the command line - one mistake with the wildcards, and you possibly delete actual data. Also, there is no confirmation before actually deleting. This was the main motivation behind this tool.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#58 Hidemik

Hidemik

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 26 January 2017 - 05:41 PM

@Demonslay335

 

I agree with you. For many users a GUI is better than a command prompt. But for many a download is a problem. My solution can be used without any download. That's why maybe somebody can find it interesting.



#59 Saham

Saham

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:09 PM

Posted 12 April 2017 - 05:54 PM

small suggestion

i think if u add 'Clear Button' that will help it to be smoothly during searching

thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users