Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom:Win32/Teerac.B!bit encrypted files changed to .encrypted extension


  • This topic is locked This topic is locked
4 replies to this topic

#1 roshanrbb

roshanrbb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 July 2016 - 06:49 PM

Hi,

 

One of our computer has been infected by a ransom-ware and it has encrypted some files on desktop and changed the infected files to .encrypted extension. Looking at the microsoft security essential logs, it says it was the infected by 

Ransom:Win32/Teerac .

No ransom note was found and no desktop was locked with message. Have already scanned the computer with MBAM, Hitman Pro and nothing was detected. 

 I have attached the screenshot of the email from which the infection likely 

originated and the link inside the email. I have attached screenshot of the quarantine logs from microsoft security essential as well. 

 

I have submitted a file via this link http://www.bleepingcomputer.com/submit-malware.php?channel=3 under the topic title Ransom:Win32/Teerac.B!bit encrypted files changed to .encrypted extension. 

 

I had contacted Dr. web decryption service and submitted some files and they said it can be decrypted for a fee of 150 EUR as i don't have a product with them. 

 

I tried some of the decryption tools like TorrentUnlocker, decrypt_apocalypse,RannohDecryptor but have no success yet.

 

 

 

vvk4SOA.jpg3Dp5ipo.jpgCDkQHtM.jpg


Edited by roshanrbb, 11 July 2016 - 06:57 PM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 11 July 2016 - 07:06 PM

It seems you are dealing with what the rest of the industry calls Crypt0L0cker. Everything matches up from what you've described.

 

If you can locate a ransom note, it will clearly tell you as well. You can also upload a ransom note to the website in my signature to confirm.

 

Here is more information on Crypt0L0cker.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 roshanrbb

roshanrbb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 July 2016 - 07:19 PM

i could not find any ransom notes in desktop nor in documents or anywhere except the quarantine logs in MSE. So no option except to pay Dr. Web for decryption at this point?

 

I have some copy of the encrypted files in dropbox, so maybe it is possible to extract decryption key by comparing encrypted file with unencrypted one?



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 11 July 2016 - 07:27 PM

Crypt0L0cker's encryption is not susceptible to a plain-text attack, or a free decrypter would have been available a long time ago.

Dr. Web is about the only chance there is if you don't have backups. Certainly is cheaper than the ransom, and you are not funding criminals. Dr. Web is much more reputable, and it seems many victims have had luck with them.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 PM

Posted 11 July 2016 - 08:11 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above Crypt0L0cker support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users