Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

problem identifying type of ransomware


  • Please log in to reply
10 replies to this topic

#1 mares88

mares88

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 30 June 2016 - 03:33 AM

Hi, lately one of my clients was infected with some weird ransomware and I it does not have any typical sings (except crypt extension)

 

Symptomps 

- extension *.crypt

- name syntax filename.pdf = filename.pdf.id-84E83191.{payfornature@india.com}.crypt

- most file types crypted

- no ransom note in browser or anywhere elses in pc

- all pre infection installed programs r blocked (not enuf privs. to run) incl. taskmanager and explorer.exe

- can install new sw without any problems, tho

- infection happened around 21.5.2016

- file size is slioghtly different @crypted / non crypted file...

 

when i send an email at adress from file name (payfornature@india.com) i received following answer

 

--------------------

Ola!

Your files are encrypted because you don't give enough attention to the safety of your system.

To decrypt your data, you need to pay us. After payment we will send you the encoder.

We are not liars or cheaters. You pay - we help. 

The more time you wait before you pay = the more expensive price. It's simple. Be reasonable.

Now the price is 3 BTC. After 24 hours, the price will grow to 5 BTC.

https://localbitcoins.com/faq
Bitcoins buys here https://localbitcoins.com/ 
Our purse 1Na3GVsnSwxVSDhcd8WWrvdyqTGPodYJfk

------------------------

 

 

 

i  provide crypted and non crypted file here https://www.sendspace.com/filegroup/V0MTNSjQTO80LYXaxuZM9A

 

 

Thx for any help identificating this ransomware, no decryptor i tried worked so far...


Edited by mares88, 30 June 2016 - 03:52 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 30 June 2016 - 05:09 AM

Any files that are encrypted with the original CryptXXX Ransomware will have the .crypt extension appended to the end of the encrypted data filename. Any files that are encrypted with CryptXXX 2.x will also have the .crypt extension appended to the end of the encrypted data filename. Any files that are encrypted with CryptXXX 3.x will have the .cryp1, .crypz or a random 5 hexadecimal character extension (i.e. ..AC0D4, .DA3D1, .73E61, .EF538) appended to the end of the encrypted data filename as explained here.

The original CryptXXX will leave files (ransom notes) named de_crypt_readme.txt, de_crypt_readme.html, de_crypt_readme.bmp, de_crypt_readme.png. CryptXXX 2.x/3.x variants will leave unique Personal ID files using random 12 hexadecimal characters with names like <id-number>.html, <id-number>.txt, <id-number>.bmp (i.e. S45CC72F3463.txt, !4AD604B8AE89.txt), !Recovery_<id-number>.html, !Recovery_<id-number>.txt, !Recovery_<id-number>.bmp (i.e. !Recovery_4582C8FAEB15.txt). The newest version of CryptXXX 3.x will have ransom notes with names like @[id-number].txt, @[id-number].bmp, @[id-number].html (i.e. 14AC2EF20B23.txt).

Chimera Ransomware also appends a .crypt extension but Chimera leaves a ransom note named YOUR_FILES_ARE_ENCRYPTED.HTML. Based on infection rates we see, it is most likely you are dealing with a CryptXXX variant.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mares88

mares88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 30 June 2016 - 10:28 AM

Hi and thanks for your reply,

 

I am aware it should be most likely criptxxx <3.0, or chimera.... I already used that id tool u linked (same answer)... But as I said i have no notes demanding ransom of any kind - u simply have to write email to provided email in file extension. 

 

 

since kaspersky decryptors are not workin on this kind (classic error "file size does not match") it should be most likely chimera ... is there any other way how to analyze what version am I infected with?

 

Is that blockage of explorer.exe ect. normal? Does it happen to common ransomware victims ? (mbam etc. scans seems clear.) 



#4 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:06:21 PM

Posted 30 June 2016 - 11:56 AM

With that ID and email address, it looks like it could be something else. More than one ransomware has the .crypt extension and without a ransom note might be difficult to tell. 

 

I would upload an encrypted and original file here for analysis:http://www.bleepingcomputer.com/submit-malware.php?channel=3

 

Of course, I could be all wet - I'm used to it; it won't be the first time.


Edited by cybercynic, 30 June 2016 - 11:58 AM.

We are drowning in information - and starving for wisdom.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 30 June 2016 - 03:14 PM

If ID Ransomware could not fully identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 mares88

mares88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 01 July 2016 - 05:41 AM

Hi, can u be more specific about "case SHA1", what exactly u mean ? 

 

thx for all replies so far

 

once again: is it common that ransomware blocks explorer (cant open any folder) and taskmanager, event viewer, msconfig etc.... returns "not enuf priv error"


Edited by mares88, 01 July 2016 - 05:44 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 01 July 2016 - 05:51 AM

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function...SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.

About SHA-1

ID Ransomware should provide a case SHA1 that Demonslay335 can use to manually inspect the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 mares88

mares88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 01 July 2016 - 06:28 AM

Aight....

as followes

 

hex: 9610444f6faa017186d2ad954e724e55bd504cf0

HEX: 9610444F6FAA017186D2AD954E724E55BD504CF0

h:e:x: 96:10:44:4f:6f:aa:01:71:86:d2:ad:95:4e:72:4e:55:bd:50:4c:f0

base64: lhBET2+qAXGG0q2VTnJOVb1QTPA= 

 

of this file 

 

https://www.sendspace.com/file/uu5uar



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:21 PM

Posted 01 July 2016 - 09:40 AM

The Case SHA1 is an identifier ID Ransomware gives you so that I can match your case in my web panel. It's a SHA1 hash of the actual case number (randomly generated for each upload), so you can provide that to me without allowing people to guess your case or try to grab files from the server (permissions deny it anyways, but it's just another layer of security). :)

 

2016-07-01_0936.png

 

I'll have to dig, but I'm pretty sure this is a kit of some sort we've seen with different email addresses. I'll take a look later today.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 mares88

mares88
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 24 July 2016 - 06:03 AM

Hi, sry for late response - i cant give u sha1 case since your tool seems to indentify it as  criptxxx <3.0, or chimera - therefor it wont pop up the "unable to determine"...

 

did u find something usefull?



#11 SunPride

SunPride

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 08 August 2016 - 06:40 AM

Has anyone been able to decyrpt this ransomware ?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users