Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Negozl Ransomware Support & Help Topic (.evil extension)


  • Please log in to reply
14 replies to this topic

#1 TechGuru11

TechGuru11

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 PM

Posted 17 June 2016 - 03:22 PM

Here is the ransom note below. All the files have the extension .evil
 
All your files have been encrypted with NegozI Ransomware. 
For each file unique ,strong key. Algorithm AES256
All your attempts to restore files on their own, lead to the loss of the possibility of recovery and we are not going to help you.
All your actions are traced and known to us.


If you do not make payment within 5 days, you will lose the ability to decrypt them.
Make your Bitcoin Wallet on: https://www.coinbase.com/ , https://block.io or http://blockchain.info 
How to buy /sell and send Bitcoin: 
1)https://support.coinbase.com/customer/en/portal/topics/796531-payment-method-verification/articles 
2)https://support.coinbase.com/customer/en/portal/topics/601090-buying-selling-bitcoin/articles 
3)https://support.coinbase.com/customer/en/portal/topics/601112-sending-receiving-bitcoin/articles 

After the payment, send the wallet from which paid and your uniq ID to mail : never@bull.me
After receiving the payment, we will contact and give you decryption tools and faq how to decrypt your files.

 
Sample file: https://www.sendspace.com/file/umfgnn

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 17 June 2016 - 03:33 PM

I think I've seen this submitted before, and there are possible connections with Sanction and RemindMe based on the ransom note filename. I have been searching for a sample of RemindMe without success.

 

If you can locate the malware, that would be of great assistance in analysis. You may submit any suspicious or malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:05 AM

Posted 18 June 2016 - 06:34 AM

And how much money extorted?


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#4 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 PM

Posted 20 June 2016 - 08:48 AM

They wanted 5 bitcoins, but the email address has a bounce-back. Has anyone paid this ransom and received their files?



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 20 June 2016 - 10:46 AM

Possible their account was suspended. If you can find the malware itself, we have a hunch it may be decryptable - I just have to have a sample to analyze to confirm and adjust an existing decrypter for it if possible.

 

You can scan the system thoroughly with HitmanPro and MalwareBytes, and also check common infection locations such as Downloads, %APPDATA%, and %TEMP%. It could be from an email, or malicious download, or a manual RDP hack if it was a server. I do not believe this one is spread via an exploit kit, or we would have more victims reported.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:05 AM

Posted 20 June 2016 - 02:46 PM

TechGuru11, 

Attach, please 'ransom note' the following post. I think the text is not complete.


Edited by Amigo-A, 20 June 2016 - 02:47 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#7 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 PM

Posted 21 June 2016 - 10:29 AM

I found the dropper, please provide the link to send the dropper to for analysis. Thank you.



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 21 June 2016 - 10:30 AM

I found the dropper, please provide the link to send the dropper to for analysis. Thank you.


Please submit the malicious file here:
http://www.bleepingcomputer.com/submit-malware.php?channel=168

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 21 June 2016 - 12:31 PM

Thanks for the submission. I am taking a look at it now.


Edited by Demonslay335, 21 June 2016 - 12:33 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 22 June 2016 - 11:26 AM

I have a beta decrypter if any victims can please contact me for testing.

 

I believe it should also work for the RemindMe variant (.remind).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 fishroof

fishroof

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 June 2016 - 04:25 PM

Demonslay335,

I have some .Evil files that you could try your beta decrypter on.  How do I best get them to you?



#12 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:05 AM

Posted 30 June 2016 - 01:36 AM

fishroof

 

Upload to https://www.sendspace.com/


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 30 June 2016 - 09:27 AM

@Amigo-A

 

I have replied to @fishroof through PM.  :thumbup2:


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 vcesar1

vcesar1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 21 September 2017 - 04:06 PM

WARNING!!! Your files are encrypted!
Your personal ID:
61 91 AF 9A 2B E0 22 09 3B 67 D2 94 5C 18 78 28
C7 FC 6F 42 46 0A 44 A9 23 57 C3 22 BB F7 68 74
71 58 C7 C8 07 EE 01 7B 7E 7A F4 EF 32 AC 75 A6
48 F8 63 91 40 22 3B 11 26 9B 00 FD 15 20 D4 4C
58 84 B7 D6 C7 B8 0B 29 36 41 93 5D AA 61 D0 5F
88 EA AA 2D 20 86 E0 41 95 BE F2 59 F2 AC 3E BE
8E 92 39 84 95 B6 D3 5A 3C 7F EB F3 7A 6F E8 9B
42 46 FB 51 79 CA 1B 9F B1 43 06 71 92 35 51 3F
Save the ID before doing anything on the computer!!! Be sure to save this ID, without it decryption is impossible!!!
All your files (databases, documents, tables, backup's, etc.) are encrypted with the most cryptographic encryption algorithm RSA-2048, decryption is possible only with the help of our decoder.
To recover data you need decryptor.
Instructions for obtaining a decryptor:

Send your ID to the mailbox below and wait for the answer:decryptyour@gmail.com In the response letter there will be instructions for decoding.

 
Attention!
  • Do not attempt to remove the program or run the anti-virus tools
  • Attempts to self-decrypting files will result in the loss of your data
  • Decoders other users are not compatible with your data, because each user's unique encryption key

hello to all, my rescue note directs me to this forum, the encryption extension is crypt. I attach the redemption note



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,920 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:05 PM

Posted 21 September 2017 - 04:43 PM

Demonslay335 identified your ransomware infection as GlobeImposter 2.0 in your original topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users