Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TowerWeb Ransomware Help & Support Topic (Payment_Instructions.jpg)


  • Please log in to reply
6 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:01 AM

Posted 23 June 2016 - 12:13 PM

A sample of a new ransomware was reported by malware researcher Jack dubbed TowerWeb, based on the email the victim is requested to contact.

 

The background of the infected machine is set to the following image, asking for $100, and to contact the criminals at towerweb@yandex.com. The image is saved to the desktop as "Payment_Instructions.jpg".

 

oocA8ka.png

 

Of interesting note, is this malware appears to swap the mouse buttons so as to "toy" with the victim. The following command is executed to accomplish this trickery.

RUNDLL32 USER32.DLL,SwapMouseButton

This ransomware is still under analysis. Any updates will be posted here.

 

If you or someone you know has been infected by this ransomware, please post here, and share any samples of encrypted files if possible; preferably Sample Pictures if they were encrypted. Any samples of the malware may be submitted here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:07:01 PM

Posted 23 June 2016 - 05:58 PM

Demonslay335

 

Screenshop readering 

 
............WRITE THIS INFORMATION DOWN............
Ransom Id: ***
BTC Address: ***
Email: towerweb@yandex.com
IF YOU LOOSE THIS INFO YOU WILL NOT BE ABLE TO CONTACT
............WRITE THIS INFORMATION DOWN............
 
YOU WILL NEED TO USE ANOTHER
DEVICE TO EMAIL US. YOUR
COMPUTER WILL NOT FUNCTION PROPERLY
UNTIL YOU PAY.
 
Your computer files have been encrypted moved to a hidden ENCRYPTED partition in your computer.
You must pay $100 USD within 24 hours or $150 after 24 hours in Bltcoint to get them back.
After 72 hours all files will be deleted including your operating system.
 
If you do not have Bitcoin visit www.LocalBitcoins.com to purchase them.
Email us if you need assistance or have paid.
 
Email: towerweb@yandex.com
 
In the mean time you will notice your computer will not respond to your commands.
Dont worry... everything will be back to normal when you pay.
Once you pay all your files and programs will be decrypted and your computer restored quickly.
Without the decryption password you will not get them back and your computer will not function properly.
Once payment is received you will get the decryption password and simple instructions to restore all
your files and computer to normal instantly. Takes about five minutes to restore everything to normal.
Once again... after 72 hours all files will be deleted including your operating system.
 
Email us if you need assistance or have paid.
Email: towerweb@yandex.com
 
The same information is on your desktop.
DO NOT LOOSE THE CONTACT INFO
 
HINT: IF YOU CANT CLICK ON ANYTHING YOUR
MOUSE BUTTONS HAVE ALREADY BEEN REVERSED.
MORE CHANGES WILL COME UNTIL YOU PAY.

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:01 AM

Posted 24 June 2016 - 11:49 AM

Another version of this ransomware has been found with a slightly different image.

 

GIPMQEC.png

 

 

The system will also be continuously rebooted when the malware runs.

 

pasted_image_at_2016_06_24_11_16_am_360.

 

To stop the shutdown, you can simply go to Start -> Run, and execute the following command.

shutdown -a

So far, it seems the ransomware only outright deletes files in the user's profile, %TEMP%, and empties the Recycle Bin. Victims may be able to recover their data using data recovery tools such as Recuva.

 

do not recommend paying the ransom, as there is no encryption, and they are outright deleting files - they will not give you any type of key or anything to restore your files.

 

Otherwise, the malware is more like a screenlocker, which can be removed with Task Manager and MalwareBytes.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#4 Amigo-A

Amigo-A

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Third station from Sun
  • Local time:07:01 PM

Posted 24 June 2016 - 03:58 PM

Another version of this ransomware has been found with a slightly different image.

 

 

The same in principle. Only ransom has increased.


Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#5 lars730

lars730

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 27 June 2016 - 01:40 PM

I had a client get this ransomware on Friday.  They received an email from "Office of the Attorney General" referencing a "complaint filed against your business".  There was a link to the supposed complaint (link said *.pdf, but actually directed to a *.zip).  The return address was compl.dept@outlook.com.  Text of the email included below.

 

My client got the 2nd version posted above ($125 ransom).  I logged in to local admin profile and didn't get any screen locking, shutdowns, or mouse button swapping.  However, when I logged in to their profile, I immediately got the screen lock image popup (which has a different email address than the saved image as described above.  Still @yandex.com, but a different account name which I have unfortunately forgotten).  When the auto shutdown began, I killed it using the command line again as described above, and also on the advice given, I installed MBAM.  While it was updating, Symantec (which I had not yet disabled) caught a virus and quarantined it.  The screen lock (I had not yet found and killed the process either) disappeared.  The MBAM scan came back with zero hits.  I then installed and ran Recuva, which recovered all the missing files (not many, since this client keeps most files on their server anyway) and everything seems perfectly fine now.

 

So, thanks for posting this, as it kept me from just assuming the worst and doing a reinstall of the OS.  Saved me a bunch of time.  Much appreciated!

 

Email text:
 

From: The Office of The Attorney General <compl.dept@outlook.com>

Subj: The Office of The Attorney General Complaint

Body:

Dear Business Owner:

 

A complaint has been filed against your Business.

Enclosed is a copy of the complaint which requires your response. You have 10 days to file a rebuttal if you so desire.

You may view the complaint at the link below.

complaint376878.pdf

Rebuttals should not exceed 25 pages and may refer to any additional documents or exhibits that are available on request.

The Office of The Attorney General cannot render legal advice nor can The Office of The Attorney General represent individuals or intervene on their behalf in any civil or criminal matter.

Please review the enclosed complaint. If filing a rebuttal please do so during the specified time frame.

Sincerely,

The Office of The Attorney General

---------------------------------------------------------------------
This document and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this email.

 

 

I edited the above to remove the link for obvious safety reasons, though I can include it again if needed.  Thanks again!

 

Edit: I don't know if it's worth mentioning, but the above email also made it through a virus scan (it's just text and html MIME types) and Barracuda spam filters.  Also, the IP of the sender (according to the email header) appears to be in Columbia.


Edited by lars730, 27 June 2016 - 01:47 PM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:01 AM

Posted 27 June 2016 - 01:44 PM

@lars730

Glad to hear you were able to recover the data.  :thumbup2:

 

The other email we've seen it list is "supportfile@yandex.com".


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#7 lars730

lars730

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 27 June 2016 - 01:58 PM

@Demonslay335

 

That's the one!  The image saved on the desktop showed the towerweb address, but the screenlock showed the supportfile address. 

 

Thanks again.  :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users