Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SecureCryptor Topic (.SecureCrypted, *.Contact_Here_To_Recover_Your_Files.txt)


  • Please log in to reply
161 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:40 PM

Posted 22 June 2016 - 08:59 AM

For anyone hit with this ransomware, please close RDP if you don't need it or change the password to a secure one (not user/admin/password e.t.c.). Also, please keep updated backups. These steps don't cost as much as being hit by ransomware and paying the ransom.

 

 

 

A few submissions files have recently cropped up for a new ransomware we'll dub "SecureCryptor", a variant of the "Apocalypse" ransomware. The victim's files are encrypted and have the extension ".SecureCrypted" or ".bleepYourData" appended to them.
 
Thankfully, Fabian Wosar of Emsisoft was able to create a decryptor for this ransomware.
 
For every file encrypted, it seems the ransomware also creates a new file for the ransom note with the pattern "<original filename>.Contact_Here_To_Recover_Your_Files.txt" or "<original filename>.Where_my_files.txt". For example, if "picture.jpg" was encrypted (and becomes "picture.jpg.SecureCrypted"), a ransom note will be created called "picture.jpg.Contact_Here_To_Recover_Your_Files.txt".
 
The ransom note contains the following message.
 

A L L    Y O U R    F I L E S    A R E    E N C R Y P T E D
 
All your data - documents, photos, videos, backups - everything is encrypted.
 
The only way to recover your files:  contact us to the next email: recoveryhelp@bk.ru
 
Attach to e-mail:
1. Text with your IP server as Subject (To locate your encryption algoritm)
2. 1-2 encrypted files (please dont send files bigger than 1 MB)
 
We will check the encrypted file and send to you an email with your 
Decrypted FILE as proof that we actually have the decrypter software.
 
Remember: 
1. The FASTER you'll CONTACT US - the FASTER you will RECOVER your files.
2. We will ignore your e-mails without IP server number in Subject. 
3. If you haven't received reply from us in 24 hours - try to contact us via public e-mail services such as Yahoo or so.

 
Based on the submissions I have received, there are signs we may be able to help victims with this ransomware.
 
If you are a victim of this ransomware, please submit a few files that you have the clean copy of for analysis (e.g. Sample Pictures, or a file you downloaded and can re-create). Acquiring the malware itself will also be helpful. Encrypted/clean sample pairs and malicious files may be submitted here, please put an email so we can contact you: http://www.bleepingcomputer.com/submit-malware.php?channel=168


Edited by xXToffeeXx, 05 October 2016 - 03:22 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:40 AM

Posted 22 June 2016 - 03:26 PM

Compiled RusLang-description and gave a link to this topic.


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 alobien

alobien

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 23 June 2016 - 05:56 PM

Hello, how can I solve this please? My server has got this virus. I have read so many articles, tried so many things and apps with no luck so far. ¿Can you please help me recovering the info?



#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:40 PM

Posted 23 June 2016 - 05:58 PM

Can you find a pair of files where you have a clean copy of the encrypted file? We need them to analyze how this ransomware has encrypted the files. For example, the Sample Pictures can be reproduced from another computer.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 alobien

alobien

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 23 June 2016 - 09:14 PM

I have just sent the sample files in a zip file, via e-mail to bleep@bleepingcomputer.com and through the link 

http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Thank you very much for your help!

 

Regards,

 

Alejandro Nunez

alobien@gmail.com



#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:40 PM

Posted 24 June 2016 - 02:57 PM

Fabian updated his Apocalypse Decrypter to handle this buggar. :)

 

https://decrypter.emsisoft.com/apocalypse


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:40 AM

Posted 24 June 2016 - 03:40 PM

Они гнездятся там.

 

10280986.png

 

decryptionservice@mail.ru
decryptionservice@inbox.ru
decryptdata@inbox.ru
recoveryhelp@bk.ru
dr.decrypter@bk.ru
 

Edited by Amigo-A, 25 June 2016 - 04:18 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#8 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:40 PM

Posted 05 July 2016 - 08:45 AM

A new variant was discovered with extension ".F**YourData" and ransom note *.Where_my_files.txt. Fabian's Apocalypse Decrypter has been updated to handle this as well. :)

 

https://decrypter.emsisoft.com/apocalypse

 

I have seen submissions for a ".unavailable" and *.Read_Me.Txt on ID Ransomware, which looks to be related to Apocalypse as well based on the ransom note and file patterns. If anyone has a sample of the malware, please submit it here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=170


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 moparjoe

moparjoe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 11 July 2016 - 08:49 AM

My server was infected with the .unavailable version of this. I tired the Emsisoft Decrypter with no luck. I have also submitted an infected file. Thanks for any help.



#10 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:40 PM

Posted 11 July 2016 - 11:16 AM

My server was infected with the .unavailable version of this. I tired the Emsisoft Decrypter with no luck. I have also submitted an infected file. Thanks for any help.

 

Can you find the malware? Fabian will need the malware executable to update the decrypter with. You can scan your computer for suspicious files using HitmanPro and MalwareBytes if your antivirus didn't pickup on it. I believe several samples I've seen in the past were named "firefox.exe".

 

Any malicious files may be submitted here for analysis (please provide an email for contact)http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Anyone hit by this ransomware may run FRST (instructions here, step #6) and share the log with me via PM to try tracking down the malware files.


Edited by Demonslay335, 20 July 2016 - 06:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 moparjoe

moparjoe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 11 July 2016 - 11:51 AM

  Malwarebyes found a reg key, a folder and some files. None are an exe tho.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/11/2016
Scan Time: 8:36:53 AM
Logfile: mbar.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.07.11.05
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows Server 2008 Service Pack 2
CPU: x64
File System: NTFS
User: Administrator
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 340368
Time Elapsed: 52 min, 43 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.MyFreeze, HKLM\SOFTWARE\WOW6432NODE\Freeze.com, Quarantined, [c7faec360a90bd79a1a9c6e76d9623dd], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 1
PUP.Optional.ASK.Gen, C:\Users\Administrator.BESTSERV1\AppData\Local\Temp\APN-Stub, Quarantined, [645d4ed4fb9f1f175ac6873dcb378779], 
 
Files: 4
PUP.Optional.ASK.Gen, C:\Users\Administrator.BESTSERV1\AppData\Local\Temp\APN-Stub\Stb64f0cf8c-7479-4420-aef5-a92eea0a908e.log.Read_Me.Txt, Quarantined, [645d4ed4fb9f1f175ac6873dcb378779], 
PUP.Optional.ASK.Gen, C:\Users\Administrator.BESTSERV1\AppData\Local\Temp\APN-Stub\Stb64f0cf8c-7479-4420-aef5-a92eea0a908e.log.unavailable, Quarantined, [645d4ed4fb9f1f175ac6873dcb378779], 
PUP.Optional.ASK.Gen, C:\Users\Administrator.BESTSERV1\AppData\Local\Temp\APN-Stub\Stb78d30ecb-9dcb-451c-ad6d-de094ff3ab32.log.Read_Me.Txt, Quarantined, [645d4ed4fb9f1f175ac6873dcb378779], 
PUP.Optional.ASK.Gen, C:\Users\Administrator.BESTSERV1\AppData\Local\Temp\APN-Stub\Stb78d30ecb-9dcb-451c-ad6d-de094ff3ab32.log.unavailable, Quarantined, [645d4ed4fb9f1f175ac6873dcb378779], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Edited by moparjoe, 11 July 2016 - 11:54 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:40 PM

Posted 11 July 2016 - 05:26 PM

These are some common locations malicious executables hide:
%SystemDrive% (C:\)\<random>.exe
%SystemRoot% (C:\Windows)\<random>.exe
%Temp%\<random>.exe
%AppData%\<random>.exe
%LocalAppData%\<random>.exe
%ProgramData%\<random>.exe
%WinDir%\<random>.exe
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 sycero

sycero

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:40 PM

Posted 19 July 2016 - 11:56 AM

Hi,  we also have the .unavailable ransomware with the Read_Me.txt files - I'll try to find a related .exe for you.

 

Is there any progress on this as yet?

 

Steve



#14 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:40 PM

Posted 19 July 2016 - 12:05 PM

We have not found a sample yet. If you can locate the malware, or source of infection, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

This variant should definitely be decryptable, Fabian just needs the malware to reverse and update the decrypter with.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 moparjoe

moparjoe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 19 July 2016 - 12:45 PM

So my company ended up paying the ransom, and they came through. Is there a good way to send the exe they gave me? Not sure if that will help or not.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users