Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BitStak Ransomware Help & Support Topic (.bitstak)


  • Please log in to reply
3 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 07 July 2016 - 10:25 AM

A new ransomware was discovered by MalwareHunterTeam that calls itself BitStak.
 
Victim's files are encrypted and renamed seemingly random names with the extension ".bitstak" appended. Folders are also renamed and have the extension added. For example, the file "Penguins.jpg" may be renamed "xfZdSbZU.aXd.bitstak".
 
When encryption has finished, the following screenlocker is shown.
 
CmwN-fCWgAAdzQO.jpg
 
The following folders are targeted.
 

C:/Program Files/
C:/Program Files (x86)/
C:/Users/ + UserName + /AppData/Roaming/
C:/Users/ + UserName + /Documents/
C:/Users/ + UserName + /Downloads/
C:/Users/ + UserName + /Videos/
C:/Users/ + UserName + /Music/
C:/Users/ + UserName + /Pictures/
C:/Users/ + UserName + /Desktop/
D:/
E:/
F:/
G:/
I:/
J:/
K:/

 
The following extensions are targeted.
 

.txt, .doc, .exe, .dat, .bat, .vb, .zip, .7z, .rar, .jar, .mp3, .wav, .save, .mp4, .cfg, .flv, .php, .com, .db, .bin, .reg

 
If you or someone you know has been hit by this ransomware, please post here.
 
I do not recommend paying the ransom. :wink:
 
A decrypter is available here: http://www.bleepingcomputer.com/download/bitstakdecrypter/

Edited by Grinler, 28 July 2016 - 09:57 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 07 July 2016 - 02:29 PM

I am releasing a decrypter for this ransomware. It will also rename files and folders that were changed. This tool will need to be ran on the infected system from the affected profile currently - I can add functionality to select an offline drive if needed.

 

v5fAqB3.png

 

Simply hit Decrypt Files, and the decrypter will do the rest. :) Optionally, you may check File -> Delete Encrypted Files to have the program delete the encrypted version of files when they have been successfully decrypted. A log file will be created with details on files and folders that were decrypted/renamed.

 

https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip

 

Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.


Edited by Demonslay335, 17 January 2017 - 06:48 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 CosmicCollider

CosmicCollider

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 PM

Posted 11 October 2016 - 01:54 PM

Hey there, thanks so much for all of your decryption programs! Very helpful. Several of yours are being blocked by google chrome as unsafe, including this one, and also by our firewall web filtering software. Any idea why that is happening? In particular, this one is blocked by google chrome as unsafe when you try and download it.



#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:14 PM

Posted 11 October 2016 - 02:07 PM

Hey there, thanks so much for all of your decryption programs! Very helpful. Several of yours are being blocked by google chrome as unsafe, including this one, and also by our firewall web filtering software. Any idea why that is happening? In particular, this one is blocked by google chrome as unsafe when you try and download it.


I obfuscated my code to help protect it against the bad guys seeing how I decrypted it. Unfortunately, this leads to false positives alot since it's the same tactics the malware devs use. I don't have $$$ to buy a certificate to sign my own code and convince AV vendors to whitelist them. If it's downloaded from BleepingComputer, it is safe.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users