Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New CryptXXX Version? A Poster requested I make a new thread


  • This topic is locked This topic is locked
4 replies to this topic

#1 charly1954

charly1954

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 18 July 2016 - 09:14 PM

On another thread a poster said I should post to a new thread with all info I posted there.

 

_____________________________________________________

 

 

I ran the test at https://id-ransomware.malwarehunterteam.com/index.php

Results said: 

 

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: !README.HTML
  • sample_extension: .<5hex>

 

 

I right clicked a random file(not file used in test) and here is the properties. Don't have any idea if the file was a notebook page, works word processor page, or spreadsheet, etc..

 

Every encrypted file I checked also had 32 character, at dot, then 5 more like this one:

1BDC345612817FE672B9DE56F470E21E.802ED

 

Properties of the file say Type file:

802ED File (.802ED)

Opens with: Windows Shell Common Dll

 

Here is a print scan of the test

 

412673594.jpg


Edited by charly1954, 18 July 2016 - 10:35 PM.


BC AdBot (Login to Remove)

 


#2 problemi

problemi

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 19 July 2016 - 01:16 AM

:(

 

 

In that case I too have got this new version:(

 

http://www.bleepingcomputer.com/forums/t/619986/cryptxxx-30-problem/



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 19 July 2016 - 07:09 AM

Demonslay335 has been advised so please be patient until he can reply.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

These are some common locations malicious executables hide:
%SystemDrive% (C:\)\<random>.exe
%SystemRoot% (C:\Windows)\<random>.exe
%Temp%\<random>.exe
%AppData%\<random>.exe
%LocalAppData%\<random>.exe
%ProgramData%\<random>.exe
%WinDir%\<random>.exe
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:26 AM

Posted 19 July 2016 - 08:26 AM

I've seen a few submissions like this lately, but haven't found a sample of the malware to confirm. The ransom note looks just like previous CryptXXX from what I've seen (the posted contents are the same, and filename of course is the same), so I'm guessing it is the same family. It would be helpful to acquire a sample to fully confirm.

 

For now I am leaving the detection rule (picks up on the hex extension) as it is until we have something further. If it ends up being something different, I'll have to manually write a false-positive override later.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 19 July 2016 - 10:22 AM

Based on Demonslay335's findings, if you have any further questions, comments or need additional assistance, please post them in the support topic from which you were referred to start a new thread .Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users