Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomeware question


  • Please log in to reply
2 replies to this topic

#1 cornerstone

cornerstone

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Appleton - WI - USA
  • Local time:02:24 AM

Posted 15 June 2016 - 10:18 PM

Hi - I began this somewhere else and had some responses from quiteman7 but am now here! I have a clients computer hit with some ransomeware - I ran the IDRansomware on it and what follows are the results - Can someone decipher the meaning here and respond to me - It appears like the system has been hit with 2 to 4 different ransomewares - or am I not reading this correctly - THANK YOU IN ADVANCE !

 

 

ID Ransomware

Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.

Knowing is half the battle! GI Joe

4 Results

CryptXXX 3.0

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: !Recovery_0BCB1C7B915C.html
  • sample_extension: .crypt

Click here for more information about CryptXXX 3.0

CryptXXX

This ransomware is decryptable!

Identified by

  • sample_extension: .crypt

Click here for more information about CryptXXX

Chimera

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • sample_extension: .crypt

Click here for more information about Chimera

CryptXXX 2.0

This ransomware is decryptable!

Identified by

  • sample_extension: .crypt

Click here for more information about CryptXXX 2.0

© Copyright 2016 MalwareHunterTeam. All rights reserved.

App v1.2.6, Updated 06/14/2016

 

Cornerstone

Cornerstone

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 AM

Posted 16 June 2016 - 07:07 AM

ID Ransomware identified your submissions as either one of several variants of CryptXXX (CryptXXX, CryptXXX 2.0, CryptXXX 3.0) or Chimera...hence four results.

Bth CryptXXX and Chimera Ransomware appends a .crypt extension but Chimera leaves a ransom note named YOUR_FILES_ARE_ENCRYPTED.HTML.

Based on infection rates we see, it is most likely you are dealing with a CryptXXX variant so as I noted here, you should go to the appropriate support topic listed below.Rather than have everyone with individual topics, it is best (and more manageable for staff) if everyone posts questions, comments or requests for assistance in the appropriate support topic to ensure they receive proper assistance from our crypto malware experts since they may not see this thread. Again, to avoid unnecessary confusion, this topic is closed.

If you are still unsure what to do please send me a PM.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:24 AM

Posted 16 June 2016 - 09:01 AM

ID Ransomware picked up on 4 possible results based on the ".crypt" extension, but it orders results by number of identifiers that matched. Since you provided a ransom note in addition to the encrypted file, it matched CryptXXX 3.0, which is at the top; this is the most likely result, as the 3.0 variant is the only one of those 4 that uses that pattern for the ransom note. Notice how it has two matches versus only the one for others.

 

I am constantly working on ironing out false-positives, so this particular scenario should improve with time.

 

 

Identified by

  • ransomnote_filename: !Recovery_0BCB1C7B915C.html
  • sample_extension: .crypt

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users