Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RAR Ransomware (realxakepok@bigmir.net) Ransomware turns docs, into .RAR files


  • Please log in to reply
24 replies to this topic

#1 gustalitro

gustalitro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 16 June 2016 - 12:40 PM

Hi everyone. Yesterday we have a case where a computer get's infected with some kind of ransomware. That infection performs a full scan of the local disk(no network drives i think, coz not a single file get's compressed into) and later compress every single document(docx,xlsx,php,css,js,etc) into .RAR password protected file.
I perform a full scan with MBAM, FRST and also AdwCleaner, but i'm unable to find any infection.
So I look into Scheduled Task and i found several tasks:
  • One runs a Task called cwp
  • The other runs a Task called chaekgrewege
Both tasks points to a BAT file inside Windows folder, named MY.BAT, MY.BAT3 and MY.BAT4.
Later I look into Program Files folder and I found several folders;
  • One called chaekgrewege with the suspicious files: ​chaekgrewegeverifierService.html5 and chaekgrewegeverifierTask.exe
  • The other two folders have no files inside
Next step I verify Windows Registry and i delete every single key related to chaekgrewege. Every reference to it disappears even into Scheduler.
When I open the RAR compressed file I can see the next message into WinRAR.

English written below
 
??? ???? ?????? ????? ???? ??????????????? ? 
??????? ????????? WinRar.
?????? ? ?????? ??? ???????????? ?????????
 ??????? ? ??????????  ??????????, 
???????????? ? ??????? ?????. ??? ????????, 
??? ?? ???? ??????? ? ????, ?? ?????? ??? 
?????? ???????? ??????, ?? ??????????? ????.
 ?, ?? ??? ??? ???????? ???????? ? ?????????.
 ? ?????? ?????? ?? 100%  ??????? ???? ??????
 ???????, ?? ???? ?????????  ????????? 
??????????? ?????????? ??????, ??? ??? 
??????????? ?? ?????  ? ?????? ? ???? ?? ?????.
??? ????????????? ?????? ????????? ?? 
????? c:\key.txt ??? ? ????? c:\windows\key.txt.
 ??? ?????????? ????????? ?? ??????????? ?????
 ?? xakpah@bigmir.net  ?  ???????? ?????? 
??????. ???? ?????? ?????????? 
????????????? ??????? ?????? ??????.
 
All your valuable files are archived indefinitely using
program WinRar.
Password for the archive was generated randomly
and encrypted algorithm used in the military sphere.
This means that no one in the world can not help you
to receive a password, except for me. I'm not the
 one who receives money and disappears. In this 
case, you will get your 100% data back, but there
 is little time restriction on a valid password, so
 postpone and believe in miracles not worth it.
Your encrypted password stored on the disk 
c: \ key.txt or folder c: \ windows \ key.txt. 
It should be sent to e-mail  realxakepok@bigmir.net 
 and  discuss payment method
 Price password is symbolic twenty five euros.

The key.txt is present in both paths and it have a few numbers inside.
Clarifying, I'm not delete the files, only the registry keys.
 
So, every step I do apparently get's the pc healthy again, but I'm unable to access to documents, every one is compressed and password protected in .RAR file. I went to Id Ransomware identify but that site cannot identify any known ransomware. Help please!

BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:54 PM

Posted 16 June 2016 - 12:47 PM

Hi gustalitro,
 
Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here with a link to this topic. Doing that will be helpful with analysing and investigating by our experts.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 gustalitro

gustalitro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 16 June 2016 - 01:03 PM

Hi gustalitro,
 
Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here with a link to this topic. Doing that will be helpful with analysing and investigating by our experts.
 
xXToffeeXx~

I put the files into a .ZIP file and I upload it into the provided link



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:54 PM

Posted 16 June 2016 - 02:58 PM

So far, we aren't finding the ransomware in those files as far as we can tell. There definitely was malicious adware in there, but nothing that encrypts so far. We are still analyzing the geen.exe, but it was submitted to VirusTotal over a year ago, so we aren't sure if it would be still something new and unidentified. We're still working to try unpacking it to figure out more on it though.

 

I don't recognize the ransom note or the email address in it.

 

There won't be any chance of cracking the RAR password most likely. The only chance is if it is under 10 characters, which is unlikely; anything higher will take decades or more even on large GPU clusters.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 gustalitro

gustalitro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 17 June 2016 - 07:45 AM

So far, we aren't finding the ransomware in those files as far as we can tell. There definitely was malicious adware in there, but nothing that encrypts so far. We are still analyzing the geen.exe, but it was submitted to VirusTotal over a year ago, so we aren't sure if it would be still something new and unidentified. We're still working to try unpacking it to figure out more on it though.

 

I don't recognize the ransom note or the email address in it.

 

There won't be any chance of cracking the RAR password most likely. The only chance is if it is under 10 characters, which is unlikely; anything higher will take decades or more even on large GPU clusters.

I have new files founded... I will try to put it splitted on 3 parts, coz the folder weights more tan 10 mb, on the link provided., It's an installer of GetDataBack, i think it's fake


Edited by gustalitro, 17 June 2016 - 07:54 AM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:54 PM

Posted 17 June 2016 - 08:50 AM

We found the geen.exe does have a screen locker with the same email address, but are unsure if it actually does the encrypting. Is this screen still up on the infected machine?

 

https://twitter.com/BleepinComputer/status/743658281529389056


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 PM

Posted 17 June 2016 - 10:11 AM

Also the screenlocker password is: iamsorrygoodluck

#8 txitxa

txitxa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 29 June 2016 - 02:19 PM

Hi,  
I have been redirected to this topic by quietman7. 
 
 
Sorry if I'm doing wrong, because my English level is not very high
 
I want to expose that I have the same problem as "gustalitro" I read the topic about "gustalitro" and the message of the encripted files, is the same and I have key.txt files in the same places (C:\ & D:\) but i haven't those processes running in my PC. 
 
 
I need permission from Bleeping Computer to upload my files and check my problem, as I understood it that way, here
 
 
Thanks for your help

 

 

 

 

 



#9 txitxa

txitxa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 02 July 2016 - 04:25 AM

 

Hi,  
I have been redirected to this topic by quietman7. 
 
 
Sorry if I'm doing wrong, because my English level is not very high
 
I want to expose that I have the same problem as "gustalitro" I read the topic about "gustalitro" and the message of the encripted files, is the same and I have key.txt files in the same places (C:\ & D:\) but i haven't those processes running in my PC. 
 
 
I need permission from Bleeping Computer to upload my files and check my problem, as I understood it that way, here
 
 
Thanks for your help

 

 

 

 

 

 

Hi,

 

Somebody helps me?

 

Thanks



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:54 PM

Posted 11 July 2016 - 08:04 PM

@txitxa

 

Yes, please upload any malicious files to the link provided. We need the ransomware itself in order to analyze it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 txitxa

txitxa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 12 July 2016 - 05:56 PM

Hi,
I try to upload a file, but response with an error.
 
I put "key.txt" on a Ransom note. This file contains a password that I need to send to recover my files 
 
&
 
I put file " " on a sample encrypted file. 
 
But...
 
And I receive this message: Unable to determine ransomware.

...
...
Please reference this case SHA1: f0bf7961601446e745efeb3af88255f70b6edc43
 
I don't know if I'm doing well.
 
I would like to share images but I don't know how
 
Thanks



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,478 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:54 PM

Posted 12 July 2016 - 06:00 PM

We need the malware itself. Not the key file or encrypted files, we need to analyze the executable malware that caused the infection. You may run scans with MalwareBytes and HitmanPro, and try to find where you got the infection, such as from an email attachment or bad download from a website.

Please submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 txitxa

txitxa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 12 July 2016 - 07:05 PM

Ok,

I'll leave tonight running malwarebytes on my pc. After, I will do the same with HitmanPro and I will answer to you the results.

Meanwhile I submitted a file in the link before.

Thanks



#14 txitxa

txitxa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 13 July 2016 - 01:59 AM

Demonslay, 

MalwareBytes and HitmanPro, no dettect any malware.

 

Only:

 

HITMANPRO

C:\Program Files\KMSpico\AutoPico.exe

C:\Program Files\KMSpico\Service_KMS.exe

C:\Program Files\cFosSpeed\cFosSpeed.exe

C:\Users\txitx\Desktop\FRST64.exe

 

And A lot of cockies



#15 txitxa

txitxa

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 13 July 2016 - 02:27 PM

Hi Demonslay,

 

Yesterday night I left running too: ESET ONLINE SCANNER, and I have a log.txt. It helps you ?

 

If so, how can I send to you?

 

Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users