Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zimbra Ransomware written in Python Help and Support Topic ( .Crypto howto.txt)


  • Please log in to reply
12 replies to this topic

#1 tatoyeah

tatoyeah

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 June 2016 - 01:44 PM

Greetings,

 

I came here trough the https://id-ransomware.malwarehunterteam.com/identify.php webpage, yesterday my email server which runs ZIMBRA 8 was infected with an unknown ransomware attack.

 

The store folder which keeps all the emails now contain all the .MSG files with an added extension .CRYPTO.

 

 



BC AdBot (Login to Remove)

 


#2 cybercynic

cybercynic

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:10:02 AM

Posted 21 June 2016 - 01:51 PM

Post the "case SHA1" that ID-Ransomware gave you in your next message. Demonslay will analyze the unidentified ransomware.


We are drowning in information - and starving for wisdom.


#3 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:07:02 PM

Posted 21 June 2016 - 01:52 PM

What written in the ransom note?

English or Russian? 


Edited by Amigo-A, 21 June 2016 - 01:55 PM.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 21 June 2016 - 02:02 PM

Was your ransom note "how.txt", and is this the original filename? I see a recent submission with the following text.

 

 

Hello, If you want to unsafe your files you should send 3 btc to 1H7brbbi8xuUvM6XE6ogXYVCr6ycpX3mf2 and an email to mpritsken@priest.com with: -----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqyZTQejd2i2MUCi3MzhY
7Q88Ndu2dfLwkoFedgUqLdwQkGH3w2XSDIWdw12QyZ7WLJ8XC7kASP+3FfHlLec3
YqHLoPAMcR+HxaMsuSC9vWzRngXDR5iSFEPHjdMxr8ikzFP755jl5z8BPdh+QZmG
QibszVONmFbigTjsp0bgLcd9NCdu4OlDDuXByYlc7Efn4zqRI9ddeWvMlG5n3TFH
S7+PVx34TPbOHWAYaQqeuD2VPjGGlVSoqNbyfmKZSBkKB+PLOn5isLkefCfnk/z8
PfxpuC4+HPB1mbMO8Um3pmTGcgM5G/VH2N44ZEqe7N4yyVG272TcjRSoL6pQp/IB
kQIDAQAB
-----END PUBLIC KEY----- 
 
I have a handful of submissions with the ".crypto" extension that I am seeing. I have not seen this one before, will set out a hunt.
 
If you can locate any malicious executables, we need the malware itself to analyze. You may submit suspicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#5 tatoyeah

tatoyeah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 June 2016 - 02:18 PM

Thanks for the quick reply, I've uploaded the "how.txt" and a copy of one of the encrypted files in this url: https://we.tl/XN03IEzwLc

 

 

 

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqyZTQejd2i2MUCi3MzhY
7Q88Ndu2dfLwkoFedgUqLdwQkGH3w2XSDIWdw12QyZ7WLJ8XC7kASP+3FfHlLec3
YqHLoPAMcR+HxaMsuSC9vWzRngXDR5iSFEPHjdMxr8ikzFP755jl5z8BPdh+QZmG
QibszVONmFbigTjsp0bgLcd9NCdu4OlDDuXByYlc7Efn4zqRI9ddeWvMlG5n3TFH
S7+PVx34TPbOHWAYaQqeuD2VPjGGlVSoqNbyfmKZSBkKB+PLOn5isLkefCfnk/z8
PfxpuC4+HPB1mbMO8Um3pmTGcgM5G/VH2N44ZEqe7N4yyVG272TcjRSoL6pQp/IB
kQIDAQAB
-----END PUBLIC KEY-----

 

 

In addition, im no expert in python but I found this file which maybe be the file that generated the .crypto files ( https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf )

 

I hope that you can help me to identify the ransomware, any help would be greatly appreciated.

 

Thanks in advance



#6 tatoyeah

tatoyeah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 June 2016 - 02:27 PM

 

 

Was your ransom note "how.txt", and is this the original filename? I see a recent submission with the following text.

 

 

Hello, If you want to unsafe your files you should send 3 btc to 1H7brbbi8xuUvM6XE6ogXYVCr6ycpX3mf2 and an email to mpritsken@priest.com with: -----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqyZTQejd2i2MUCi3MzhY
7Q88Ndu2dfLwkoFedgUqLdwQkGH3w2XSDIWdw12QyZ7WLJ8XC7kASP+3FfHlLec3
YqHLoPAMcR+HxaMsuSC9vWzRngXDR5iSFEPHjdMxr8ikzFP755jl5z8BPdh+QZmG
QibszVONmFbigTjsp0bgLcd9NCdu4OlDDuXByYlc7Efn4zqRI9ddeWvMlG5n3TFH
S7+PVx34TPbOHWAYaQqeuD2VPjGGlVSoqNbyfmKZSBkKB+PLOn5isLkefCfnk/z8
PfxpuC4+HPB1mbMO8Um3pmTGcgM5G/VH2N44ZEqe7N4yyVG272TcjRSoL6pQp/IB
kQIDAQAB
-----END PUBLIC KEY----- 
 
I have a handful of submissions with the ".crypto" extension that I am seeing. I have not seen this one before, will set out a hunt.
 
If you can locate any malicious executables, we need the malware itself to analyze. You may submit suspicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

 

Ive uploaded the file as requested, that was the original file, copied from the source and not modified.


Edited by tatoyeah, 21 June 2016 - 02:31 PM.


#7 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:07:02 PM

Posted 21 June 2016 - 03:26 PM

analogue 5 days ago

http://webcache.googleusercontent.com/search?q=cache:yEnc95l5OQ4J:pastebin.com/dfzgNBKQ+&cd=4&hl=ru&ct=clnk


Edited by Amigo-A, 21 June 2016 - 03:28 PM.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:02 AM

Posted 21 June 2016 - 04:23 PM

The encrypted file you submitted had ".crypto.crypto" - are all of your files the same as this? Hopefully the encryption did not run twice on your system.

 

Can you provide a few encrypted files? You may share them with a third-party service such as SendSpace.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#9 tatoyeah

tatoyeah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 June 2016 - 05:53 PM

On my server seems that theres been only one execution, probably after I executed some of the Kaspersky tools another .crypto extension was added.

 

File 1:
Download Link: https://www.sendspace.com/file/qliie8
File 2:
Download Link: https://www.sendspace.com/file/57qy73
File 3:
Download Link: https://www.sendspace.com/file/guib3f
File 4:
Download Link: https://www.sendspace.com/file/jc24f3
File 5:

Download Link: https://www.sendspace.com/file/wpjpmj
File 6:

Download Link: https://www.sendspace.com/file/b2ukbz
File 7:
Download Link: https://www.sendspace.com/file/i6wzut
File 8:
Download Link: https://www.sendspace.com/file/s1e137



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 47,823 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 AM

Posted 21 June 2016 - 08:06 PM

A variant of Rakhni Ransomware utilizes the .crypto extension.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 tatoyeah

tatoyeah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 June 2016 - 09:00 PM

Ive tried with the Rakhni decryptor from Kaspersky, unfortunately it doesnt support the ":MSG.CRYPTO" extension, nevertheless im gonna try to find another decryptor, thanks for the hint!!



#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,868 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 21 June 2016 - 10:24 PM

 

This appears to be the Python ransomware tatoyeah got hit with.



#13 Andy2012

Andy2012

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 27 July 2016 - 04:42 PM

A few questions for topic starter:

User / Administrator web interface was accessible from the Internet and what ports at all was accessible from the Internet?
Can you tell the full version of Zimbra server and operational system?
This physical / virtual server used only for Zimbra?


Edited by Andy2012, 27 July 2016 - 05:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users