Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ransomware <README.txt> Microsoft decryptor


  • This topic is locked This topic is locked
11 replies to this topic

#1 love24you

love24you

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 06 July 2016 - 02:55 AM

 Can someone please tell me this is a new ransomware ?

 

NOT YOUR LANGUAGE? USE https://translate.google.com
 
What happened to your files ?
All of your files were protected by a strong encryption with RSA4096
More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
How did this happen ?
!!! Specially for your PC was generated personal RSA4096 Key , both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
 
What do I do ?
So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way
If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_
 
 
Your personal ID: ADEFE4B1:49A860F8:5D9CF787:B15772D6     
 
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
 
 
If for some reasons the addresses are not availablweropie, follow these steps:
 
1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - Video instruction: 
3 - After a successful installation, run the browser
4 - Type in the address bar: http://t352fwt225ao5mom.onion
5 - Follow the instructions on the site

Edited by love24you, 06 July 2016 - 02:56 AM.


BC AdBot (Login to Remove)

 


#2 halibut

halibut

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 06 July 2016 - 03:50 AM

Got hit by it as well yesterday, it's creating only three files readme.bmp, readme.htlm and readme.txt. It's not changing  the extensions of encrypted files. 



#3 AQUAR

AQUAR

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:09:53 AM

Posted 06 July 2016 - 04:16 AM

Ditto,

 

No idea how this sneaked into my OS.

I was simply browsing on google for grout products to use in my bathroom reno.

Possibly it came in via one of the web sites I was looking at.

 

I do keep resource monitor running in the background for checking up on suspicious activity if the CPU usage goes up when it should not.

Only left the PC unattended for half an hour and when I returned it was busy encrypting files.

 

Shut it down quickly (forgot to write down the process responsible) but a fair bit of damage was already done.

 

Process responsible has not re-appeared on reboot.

Public key (PUB.KEY) is in AppData\Local\temp.

Leaves .exe alone.

 

Hopefully some vulnerability is found as this one needs a private key to decrypt.

Has some similarities with CryptoDefense maybe?

 

Sick people in this word for sure.


Edited by AQUAR, 06 July 2016 - 04:24 AM.


#4 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:53 AM

Posted 06 July 2016 - 04:36 AM

It will probably be pretty difficult to find the ransomware due to the ambiguous names of the created ransom notes and the fact that the file extensions aren't changed. So unless one of you guys steps up and can find the malicious executable on their system or allows one of us to check your system for the file, it is unlikely that we will be able to locate the ransomware responsible anytime soon.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#5 love24you

love24you
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 06 July 2016 - 04:39 AM

Similar CryptXXX



#6 AQUAR

AQUAR

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:09:53 AM

Posted 06 July 2016 - 06:14 AM

I can run some malware programs to see if there are any remnants of this ransomware, before I rebuild the PC.

But it looks like the ransomware no longer exists on my system.

This is the second time I've been hit with this kind of malware.

 

It's time I "virtualise" my internet connectivity to limit HDD exposure to this kind of data destruction.

Should have done that before as a supporting line of defence to backups (time is short!).



#7 AQUAR

AQUAR

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:09:53 AM

Posted 06 July 2016 - 07:49 AM

I am out of my depth here so sorry if this is a bum steer.

It looks like the ransomware is active again and quickly going through the folders that were already encrypted.

Suspicious process that is accessing the files is regsvr32.exe /s rad0EEE5.temp.dll

Path to the dll is \AppData\Local\temp\Low

To stop it from getting further I suspended the process.

 

Virustotal: is 2/55

Ahnlab-V3 gives Trojan/win32.cryptXXX.R184265

AegisLab gives Troj.w32.Gen.lw77

 

PS: Tried latest Ranohdecryptor but it doesn't work - always informs file size is different when coupling encrypted and not encrypted files to seed the program.

 

If interested in the dll let me know.


Edited by AQUAR, 06 July 2016 - 07:55 AM.


#8 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:53 AM

Posted 06 July 2016 - 07:56 AM

Would you mind submitting the file here:

http://www.bleepingcomputer.com/submit-malware.php?channel=170

That would be quite helpful.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#9 AQUAR

AQUAR

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:09:53 AM

Posted 06 July 2016 - 08:22 AM

Okay - have submitted the suspicious file.



#10 ruskata

ruskata

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 06 July 2016 - 02:20 PM

I am having exactly the same problem, but @AQUAR was far more clever and was actually able to find the process working again (something that has not happen here, it was active only once and i restarted too quickly to realize what the executable was). So, I'm following this thread with great interest! THanks to all involved!

If it will help, here are some files from my system:

https://www.dropbox.com/sh/fssddl8zrlikhpd/AADA7KsBEEUN2HGsnC94orlea?dl=0

 

EDIT: In that dropbox folder I've put also the dll file that was found in the same folder as @AQUAR's. Additionally, I've uploaded it as per @Fabian Wosar's instructions and tried a virustotal scan on it which this result:

https://virustotal.com/en/file/0f5870e5d85f992d620850a55fc2b98c0caa9974c92419b8852023d0aba05a27/analysis/1467892959/

SHA256:	0f5870e5d85f992d620850a55fc2b98c0caa9974c92419b8852023d0aba05a27
File name:	rad56C71.tmp.dll
Detection ratio:	8 / 52
Analysis date:	2016-07-07 12:02:39 UTC ( 34 minutes ago )

Edited by ruskata, 07 July 2016 - 07:41 AM.


#11 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:53 PM

Posted 07 July 2016 - 10:33 AM

BC News Article:  http://www.bleepingcomputer.com/news/security/new-cryptxxx-changes-name-to-microsoft-decryptor/


We are drowning in information - and starving for wisdom.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:53 PM

Posted 07 July 2016 - 11:05 AM

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users