Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware ( .D6979 )


  • This topic is locked This topic is locked
3 replies to this topic

#1 RangerTom

RangerTom

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 06 July 2016 - 09:41 PM

I’ve read the suggested threads:  http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information

And

https://blog.malwarebytes.com/101/2016/06/malvertising-and-ransomware-the-bonnie-and-clyde-of-advanced-threats/

and

https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#

and

http://www.ghacks.net/2016/04/13/id-ransomware/  (couldn’t upload both the ransom note and a sample infected file, as I had deleted the ransom note)

and

https://id-ransomware.malwarehunterteam.com/index.php

 

I have a Win 7 system.  The ransomware encrypted my files with the extension “.D6979”.  I haven’t found any instances of this particular file extension encryption anywhere on the web.  I assume it’s a new variant.

 

I attempted to remove the ransomware, but it kept returning.  I believe the first instance was either TeslaCrypt or TesCrypt.  MSE identified it when it came back as TesCrypt C.  The last appearance was identified by MSE as TesCrypt E.  I haven’t seen any reappearances in the last 4 or 5 days.  I was running MSE and Malwarebytes free version before the infection and still am.  Considering adding or replacing one or both of MSE and Malwarebytes free with Emisoft Anti-Malware or Kaspersky Total or HitmanPro or Malwarebytes Anti-Ransomware.  Also considering adding Software Restriction Policies and the CryptoPrevent Tool, maybe even manually created Software Restriction Policies (although I’d have to woodshed a little on these – would prefer a packaged solution.  I’ve learned a lot over the years, but I’m still no techie – my expertise is in areas other than computers; I’m first and foremost a user, not a tech specialist like so many of you good folks.

 

Because of the reappearances, I am considering reformatting the drives in the desktop (solid state software drive and hard drive files drive) and re-installing Windows, Office, etc. on the solid state drive.  Hate to do it, but may have to.  Will this eliminate the possibility of the ransomware reappearing?  I would think so, as all files are overwritten in a re-format.

 

The ransomware encrypted .doc files, .docx files, .xls files, .xlsv files, ppt files, pptx files. Htm files, .pdf files, possibly some others.  Interestingly, it encrypted some but not all files.  It did encrypt some files uploaded to OneDrive from another computer but accessed through my infected computer via OneDrive installed on my infected computer.

 

Fortunately, the other computer hadn’t been booted for a month, so it didn’t sync the encrypted files back down onto the other computer, so the files on that computer still were present in their original state.  So I unplugged the other computer from the internet, saved the files onto a thumb drive, and now have all those files.  What I’ve lost to encryption is all of the files in the One Drive folder that were modified or added in the past month since the other computer was last booted, plus all of the files on my infected computer that were not in the OneDrive folder.  So it’s not as bad as it could be, but still bad.

 

As to decryption, the various TeslaDecoder utilities would not seem to work, as they are specific to specific file extensions, and none of them seem to work with the “.D6979” file extension encryption.

                                                                                                                                          

Although I saved the encrypted files to a parking folder, I have been religiously cleaning out my computer with several different utilities, and I wouldn’t be surprised if I deleted the copy of the files that the ransomware makes and then encrypts (if that in fact is what happens), so if that is true, then I may no longer be able to decrypt even it a decryption utility is developed for the “.D6979” file extension encryption.

 

As to the other methods of restoring my original files:

  • Backups – the OneDrive copy was my backup solution.  A good solution until you are attacked with ransomware and it encrypts your OneDrive backup.  So this method won’t work for me.
  • File recovery software – as mentioned, R-Studio or Photorec may not work as I may have deleted the encrypted copy (or will these decrypt the encrypted copy I moved to a parking folder?).  But I continue to use the infected computer for work and play, so I may have made it more difficult for these software utilities to work, if it’s even possible that they can decryption the “.D6979” file extension encryption.  I still need to try this.
  • Shadow volume copies – this won’t work as the ransomware deleted the shadow volume copies
  • Restore DropBox folders – does this also work for OneDrive – I’ll have to investigate this.
  • Native Windows Previous versions – this won’t work as the ransomware deleted the previous versions
  • Shadow Explorer – this won’t work as the ransomware deleted the shadow copies

 

Thanks for any guidance you can provide.



BC AdBot (Login to Remove)

 


#2 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 06 July 2016 - 09:55 PM

it is likely, CryptXXX

http://www.bleepingcomputer.com/news/security/cryptxxx-ransomware-moves-from-the-crypz-extension-to-a-random-one/



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 PM

Posted 06 July 2016 - 10:02 PM

OneDrive should support versioning that you can rollback. They have a support page on it (can't pull up on mobile, but a quick Google should yield it).

I assure you this is NOT TeslaCrypt; that project has been dead for weeks, so there are no new cases (just old victims surfacing occasionally), and it was very consistent on using specific extensions, or not modifying the filename at all. I believe MSE may be leading you astray because CryptXXX took the place of TeslaCrypt in the distribution campaigns - it is probably picking up on leftover malware from the dropper(s).

You were hit by one of the latest variants of CryptXXX, which uses a random 5-character hex extension for each victim. Current versions of CryptXXX are not decryptable I'm afraid, you can check the support topic for more information.

ID Ransomware will still pickup on the random extension and point you in the right direction in this case. Having the ransom note would solidify the identification, but I'm 99% sure it is CryptXXX based on frequency of it going around. You can check ProofPoint and the articles here on BleepingComputer for more information on how it is spread (hint: exploit kits, so keep your software fully updated).

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:25 PM

Posted 07 July 2016 - 05:48 AM

Any files that are encrypted with newest CryptXXX 3.x variant will have a random 5 hexadecimal character extension (i.e. ..AC0D4, .DA3D1, .73E61, .EF538) appended to the end of the encrypted data filename as explained here.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users