Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ACCDFISA v2.0 Ransomware Support Topic - filename(!! to get password email id *id* to *email* !!).exe/.rar


  • Please log in to reply
224 replies to this topic

#1 NWehrli

NWehrli

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 05 June 2016 - 03:04 PM

Help mi please

Edited by quietman7, 05 October 2016 - 07:12 PM.
Moved from Virus, trojan, etc. logs to Ransomware support


BC AdBot (Login to Remove)

 


m

#2 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:09:03 PM

Posted 05 June 2016 - 04:02 PM

were going to need a little more information as to what the situation is



#3 NWehrli

NWehrli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 05 June 2016 - 04:06 PM

HELLO, my files was renamed to name.ext(!! to get password email id 1310822015 to xxxx@gmail.com !!).exe.

No backup available and lost all the information, Thanks



#4 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:09:03 PM

Posted 05 June 2016 - 04:38 PM

go here to Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data

 

https://id-ransomware.malwarehunterteam.com/

 

post results here



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,918 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 PM

Posted 05 June 2016 - 04:43 PM

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. They typically are found in every directory where data was encrypted. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every affected folder as well.

These are some examples of ransom note names:
HELP_DECRYPT.TXT, DECRYPT_INSTRUCTION.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_YOUR_FILES.TXT
HELP_FILE_[random number/letter].HTML, install_tor.url, ATTENTION.RTF, !!!-WARNING-!!!.html
READ_IF_YOU_WANT_YOUR_FILES.html, README_FOR_DECRYPT.txt, READ!!!!!!!!!!.ME.txt, README!!.TXT
ReadMe.txt, Read.txt, Read_it.txt, READ_IT.txt, README1.txt-README10.txt, README_IMPORTANT.TXT
IMPORTANT READ ME.txt, File Decrypt Help.html. ReadDecryptFilesHere.txt, Coin.Locker.txt 
YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt, CRIPTOSO.KEY
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, ABOUT_FILES!.txt
HOW_TO_DECRYPT_FILES.TXT, HOW TO DECRYPT FILES.TXT, RECOVERY_KEY.TXT, READ TO DECRYPTIONS_.txt
_secret_code.txt, DECRYPT_ReadMe.TXT, BLEEPEDFILES.TXT, AllFilesAreLocked_.bmp, WHAT IS SQ_.txt
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, IHAVEYOURSECRET.KEY
SECRET.KEY, SECRETIDHERE.KEY, HELP_DECYPRT_YOUR_FILES.HTML, README_DECRYPT_UMBRE_ID_[victim_id].txt
help_decrypt_your_files.html, RECOVERY_FILES.TXT, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.TXT, howto_recover_file_.txt, HELP_TO_SAVE_FILES.txt
how_recover+[random].txt, _how_recover_.txt, restore_files_.txt, recover_file_[random].txt
recover_files_[random].txt, recovery_file_[random].txt, help_recover_instructions+[3-random].txt
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt, help recover files.txt, Recovery+[5-random].txt
_ReCoVeRy_+[5-random].txt, _recovery_+cryptolocker, Recovery_[5-random].txt, RECOVERY.TXT 
RECOVER+[random].TXT, RECOVER[5-random].TXT, _rEcOvEr_[5-random].txt, +REcovER+[5-random]+.txt
+-HELP-RECOVER-+[5-random]-+.txt, {RecOveR}-[5-random]__.txt, -!RecOveR!-[5-random]++.txt, 
-!recover!-!file!-.txt, How_To_Recover_Files.txt, How_To_Restore_Files.txt, HOW_TO_RESTORE_FILES.txt
DECRYPTION_HOWTO.Notepad, Encrypted_Files.Notepad, _DECRYPT_INFO_[random].html, DECRYPT.TXT
WHATHAPPENDTOYOURFILES.TXT, DecryptAllFiles_.txt, DecryptAllFiles.txt, README_FOR_UNLOCK.txt
HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT, YOUR_FILES_ARE_LOCKED.txt, Readme.txt, MENSAGEM.txt
Comment débloquer mes fichiers .txt (How to unlock my files.txt), HELP_DECRYPT_YOUR_FILES.HTML
HOW_TO_DECRYPT_FILES.HTML, HELP_FOR_DECRYPT_FILE.HTML, README_HOW_TO_UNLOCK.txt, encryped_list.txt
de_crypt_readme.txt, !(hex-id).html, !Recovery_<id-number>.html, _Locky_recover_instructions.txt
Read Me (How Decrypt) !!!!.txt, [infction date]-INFECTION.TXT, enigma.hta, enigma_encr.txt
YOUR_FILES_ARE_ENCRYPTED.TXT, READ_IT.txt, READ_THIS_TO_DECRYPT.html, Decrypt All Files akaibvn.txt 
UNLOCK_FILES_INSTRUCTIONS.html, _HELP_INSTRUCTIONS.txt, DECRYPT_INSTRUCTIONS.TXT, Help Decrypt.html
LEGGI QUESTO FILE.txt, UNLOCK_FILES_README.txt, How_to_decrypt_your_data.txt, READ_THIS_FILE.txt
readthis.txt, How to decrypt files.html, DECRYPT MY FILES#.txt, Hacked.txt, YourID.txt

Note: The [random] represents random characters which some ransom notes names may include.
You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with possible identification and confirmation. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 NWehrli

NWehrli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 05 June 2016 - 05:33 PM

The message of the txt is

All your files encrypted.

To decrypt email id: 1310822015 to allhelp16@gmail.com



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:03 PM

Posted 06 June 2016 - 01:21 AM

I will try taking a look at this soon. I've seen several submissions similar to this lately.

A sample of the malware will definitely help for analysis, as well as a pair of files (before and after encryption) for comparison. You may submit them to the link quietman7 posted above.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:03 PM

Posted 06 June 2016 - 12:03 PM

Looking at the encrypted files, it seems the ransomware uses WinRAR to compress the files with a password into an SFX (self-extracting) package. There isn't anything further I can analyse without the malware sample to see if there is a weakness in the keygen.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 dbonino

dbonino

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 06 June 2016 - 07:54 PM

Hello to all! A friend's computer was infected with a ransomware that I cannot identify so far. All his My documents' files are compressed in auto executable format. All the files shows the WinRAR icon and the file's names are appended with this legend:

 

!! to get password email id 1449462382 to allhelp16@gmail.com !!

 

that is, filename.fileextension(!! to get password email id 1449462382 to allhelp16@gmail.com !!).exe

 

I couldn't identify the ransomware uploading the compressed file to ID Ransomware Web site and couldn't find a ransom letter neither that I can upload.

 

Could anyone help me with this problem?

 

The PC's OS is Windows 2008 R2 Standard.

 

Thanks to all there!



#10 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:09:03 PM

Posted 06 June 2016 - 07:56 PM

go to this link looks very similar http://www.bleepingcomputer.com/forums/t/616436/infected-with-to-get-password-email-id-virus-xxxxx/



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,918 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 PM

Posted 06 June 2016 - 08:07 PM

go to this link looks very similar http://www.bleepingcomputer.com/forums/t/616436/infected-with-to-get-password-email-id-virus-xxxxx/

I have merged the topics to avoid confusion.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:03 PM

Posted 06 June 2016 - 08:08 PM

There should be a ransom note by the name of "howtodecryptaesfiles.txt" and possibly "howtodecryptaesfiles2.txt".

 

I've just acquired a sample, albeit with a different email address (everything else matches though). I'm currently analyzing it now, getting a bit of information from it.

 

I think it is using a 27-character password on the archives, so there is no chance at brute-forcing it. Still looking into how the key is generated and used.

 

I am seeing signs that it might tamper with your RDP port and service; I would disconnect the system from the internet and double-check your RDS settings before letting the server remain running.

 

It also modifies several registry keys for crash reporting and the like.


Edited by Demonslay335, 06 June 2016 - 08:10 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 H0unter

H0unter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 06 June 2016 - 10:49 PM

Thank you bro!



#14 NWehrli

NWehrli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 07 June 2016 - 06:13 AM

Thank you, is very difficult to restore, the virus delete all the backups in disk, and delete shadow copy of the disk. Is the case is resolved my client donate some U$S to the page.

I hope that you obtain the keys to open the files, Thank you very macht (sorry for my english, is not my lenguage)



#15 Joa0011

Joa0011

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 07 June 2016 - 02:47 PM

I have a system with this ransomware, looking in the internet seems that it's very similar to this: https://blog.cylance.com/cracking-ransomware#. I've spotted a few differences with my client's case, the random values in \ProgramData\svcfnmainstvestvs\stppthmainfv.dll are all numbers, and they don't look random.

 

Let me know if you need more information.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users