Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help needed unknown ransomware or cryptoware


  • Please log in to reply
7 replies to this topic

#1 jgorman

jgorman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 05 July 2016 - 03:27 PM

Hi all, 

Any help would be greatly appreciated

I tried ID Ransomware - false positive - .JobCrypter 

Trend Micro - Ransomware File Decryptor sees it as XORIST or XORBAT but when comparing files it says they aren't the same files

 

this is the content of the readme.txt file on my desktop

 

Ваша Європа і Євросоюз знищив нашу країну,  за це Ви будете платите.Ми вибиватимемо з Вас гроші, будь-якими доступними для нас способами.За 5 BTC, ми повернемо Вам доступ до файлів, переведення зробити на гаманець(19g4a6ozdyamyrnduc6lzktslbu68717hj). Ключ можете отримати заплативши нам і повідомити про оплату наopir@ua.fm, center.org.dep@gmail.com
 

it translates from Ukrainian to english as this 

 

Your Europe and the European Union destroyed our country, for this you will have platyte.My vybyvatymemo of money, any available for us sposobamy.Za 5 BTC, we will refund you access to files transfer done on the wallet (19g4a6ozdyamyrnduc6lzktslbu68717hj). The key can get paid to us and report the payment наopir@ua.fm, center.org.dep@gmail.com

 

 

I believe I may have stopped it before it finished, I found an exe file, a log file, and according to the log,  the 2 encryption keys.

it did NOT change any of the file extentions.

 

https://www.dropbox.com/sh/bw0sg7uhcmhl6g9/AACZtMBCyhK0rHshZBhPLHvqa?dl=0



BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:08 AM

Posted 05 July 2016 - 03:36 PM

Ми вибиватимемо з Вас гроші,
>>
correct:
Ми вибиватимо з Вас гроші,
>>
translated:
We knock of your money,
 
--------
будь-якими доступними для нас способами
>>
translated:
by any means available to us the methods.

Edited by Amigo-A, 05 July 2016 - 03:44 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 05 July 2016 - 03:41 PM

The "original" file you shared is not a valid Word file.

 

This seems familiar, and the exe is definitely picked up by AV on VirusTotal as a ransomware of some sort. There was recently a ransomware that I saw dumps a log of what it is doing exactly, but I don't remember what it was...


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Amigo-A

Amigo-A

  • Members
  • 487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:08 AM

Posted 05 July 2016 - 03:47 PM

but I don't remember what it was... ...

 

 

Demonslay335

 

Bucbi Ransomware from the Ukrainian radicals (the bandits)

http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/


Edited by Amigo-A, 05 July 2016 - 03:56 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:08 PM

Posted 05 July 2016 - 03:56 PM

The "original" file you shared is not a valid Word file.

 

This seems familiar, and the exe is definitely picked up by AV on VirusTotal as a ransomware of some sort. There was recently a ransomware that I saw dumps a log of what it is doing exactly, but I don't remember what it was...

It is, if you delete the .original extension


We are drowning in information - and starving for wisdom.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 05 July 2016 - 04:23 PM

@cybercynic

 

I was looking at it in a hex editor, but you are right, it is valid actually. I was expecting the header of a .docx instead of a .doc. :P

 

@Amigo-A

Thanks for the information. That is the one I was thinking of - it slightly missed my radar and permanent memory since there is no way to really reliably identify it from an ID Ransomware standpoint.

 

 

 

Researchers also observed that the malware includes a decryption routine, which can be used with a simple binary modification to decrypt files, although the malware never calls for the routine. This routine could be used by victims to recover their files without paying the ransom, researchers say.

 

I find this statement interesting. I'm afraid doing such a modification is above my skill set currently, otherwise I'd give it a try. I kind of hate when a company says something like that but has no PoC to stand behind it...


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 jgorman

jgorman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 05 July 2016 - 06:29 PM

Thank you for the info, next question...

do either of the random named files I uploaded look like the key to unlock my files or is there a utility I can use to decrypt my files? 

 

 

 

 

Here is another IP address this ransomware uses

 

185.130.6.78


Edited by jgorman, 05 July 2016 - 08:08 PM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 05 July 2016 - 06:34 PM

Thank you for the info, next question...

do either of the random named files I uploaded look like the key to unlock my files or is there a utility I can use to decrypt my files? 

 

They are not directly a key, but seem to be related to the key generation at least. There is no decrypter available currently. I would recommend backing up the encrypted files and hoping for a solution in the future. I would consider this one still under investigation.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users