Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Simple_Encoder Ransomware Help & Support - .~ ext & _RECOVER_INSTRUCTIONS.ini


  • Please log in to reply
21 replies to this topic

#1 chanvoon

chanvoon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 23 July 2016 - 09:29 PM

i have uploaded 2 files here, which 1 is ransom note, another is infected file .

 

https://www.sendspace.com/filegroup/ZL0q3sW%2F4%2FufspIyv9Tnag

 

 

Please help to idenfity for me .... really appreciated !!

 

 



BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 23 July 2016 - 09:45 PM

This looks new. I don't recognize the ransom note or email address used. Do all of your files have ".-" (or is it ".~", seems encoding goofed on my system) appended to them? Can you share a few more encrypted files? I have not had any submissions with either that extension or ransom note name on ID Ransomware other than your case.

 

If this is new, we will need a sample of the malware to analyze. You may scan your system with MalwareBytes, HitmanPro, or FRST; feel free to post the log(s) here and we can see if they picked up on anything interesting-looking. Please submit any malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

P.S. Please don't double-post in another thread.


Edited by Demonslay335, 23 July 2016 - 09:51 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 chanvoon

chanvoon
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 23 July 2016 - 11:42 PM

All the infected files are ".~" .... and already uploaded some other infected and malwareby log file as you requested.

 

Thanks a lot for helping !!



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 24 July 2016 - 12:07 AM

Hmm, the MBAM log was clean. Could you submit a log for HitmanPro and FRST? Also try to track down if it was a bad download from a website (download history in your browser), or possibly a malicious attachment/link in an email you opened recently.

 

I'm noticing the files you shared all have the same 16 bytes in the header. This could be a sign of a variant of CryptoWall (would be new, haven't heard of any new activity in changing extensions as far as I'm aware), or might be something we can identify this by.

 

Do all of your files have this in the header?

4C 00 00 00 01 02 00 00 10 66 00 00 00 A4 00 00    L........f...¤..

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 24 July 2016 - 03:21 AM

To help with a Google search for victims, here is the contents of the ransom note: _RECOVER_INSTRUCTIONS.ini.

 

 

 

All your system is encrypted.
 
All your files (documents, photos, videos) were encrypted.
It's impossible to get access to your files without necessary decrypt key.
All your attempts to solve problem yourself will be unsuccessful!
 
We suggest you to read some articles about this type of encryption:
 
Now you have two options to solve the problem:
1. Format your hard disk. This way you'll lose all your files.
2. Pay 0.8 Bitcoin and get key of decryption. At the end of this ad
you'll see your personal ID and our contact information.
 
Now you should send us email with your personal ID. This email 
will be as confirmation you are ready to pay for decryption key.
After payment we'll send you key of decryption with instructions
how to decrypt the system.
 
Please, don't send us emails with threats. We don't read it and don't reply!
We guarantee we'll send you the decryption key after your payment
so you'll get access to all your files.
 
Our e-mail address: one1uno243@yandex.com
YOUR PERSONAL IDENTIFIER: [redacted]

 

I've setup a rule to hopefully find something, haven't been able to find any samples of the malware or other victims so far.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:21 PM

Posted 24 July 2016 - 01:38 PM

I tried some other search engines but nothing turns up except for this topic and your posts on Pastebin.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 24 July 2016 - 06:43 PM

Just got a hit on a positive sample, will see if we can analyze it in detail soon.

 

Seems it internally goes by the name "Simple_Encoder".


Edited by Demonslay335, 24 July 2016 - 06:56 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 microplanet

microplanet

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 25 July 2016 - 05:37 AM

Hello,
We have a client that has the same virus infected 23 July.
we have a backup and I put in a file attached encrypted file and the original file

this link :

https://www.sendspace.com/filegroup/p0E1odR9uLXx%2FhIWdE24CA

Maybe it can help to create a key for decrypt files.



#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:21 PM

Posted 25 July 2016 - 09:51 AM

The Simple_Encoder, or Tilde Ransomware, is a ransomware that will encrypt your data using AES encryption and then adds a tilde, or  .~ extension, to encrypted files.  For each folder that a file is encrypted, it will create a _RECOVER_INSTRUCTIONS.ini ransom note, which is shown below.

 

The targeted file types are:

.mid, .key, .crt, .csr, .pem, .DOC, .odt, .ott, .sxw, .stw, .PPT, .XLS, .pdf, .RTF, .uot, .CSV, .txt, .xml, .max, .DOT, .docx, .docm, .dotx, .dotm, .hwp, .ods, .ots, .sxc, .stc, .dif, .xlc, .xlm, .xlt, .xlw, .slk, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .wks, .odp, .otp, .sxi, .sti, .pps, .pot, .sxd, .std, .pptm, .pptx, .potm, .potx, .uop, .odg, .otg, .sxm, .mml, .docb, .ppam, .ppsx, .ppsm, .sldx, .sldm, .ms11 (Security copy), .lay, .lay6, .asc, .SQLITE3, .SQLITEDB, .sql, .mdb, .dbf, .odb, .frm, .MYD, .MYI, .ibd, .mdf, .ldf, .php, .cpp, .pas, .asm, .vbs, .dip, .dch, .sch, .brd, .asp, .java, .jar, .class, .bat, .cmd, .psd, .NEF, .tiff, .tif, .jpg, .jpeg, .cgm, .raw, .gif, .png, .bmp, .svg, .djvu, .djv, .zip, .rar, .tgz, .tar, .bak, .tbk, .tar.bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .qcow2, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mp3,

ransom-note.png



#10 Amigo-A

Amigo-A

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:21 AM

Posted 25 July 2016 - 01:23 PM

Location of the ransom note:
C:\\_RECOVER_INSTRUCTIONS.ini
C:\Documents and Settings\Default User\Desktop\_RECOVER_INSTRUCTIONS.ini 
C:\Documents and Settings\Default User\Templates\_RECOVER_INSTRUCTIONS.ini 
 
Location of the ransom image:
%TEMP%\Simple_Encoder\img.bmp
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\Simple_Encoder\img.bmp

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#11 andiamo11

andiamo11

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 04 August 2016 - 01:05 PM

Hi - I've been hit with this ransomware.  It added a .crypz extension to all my files.  Here is the ransom note...can you help me?  Thanks!

 

NOT YOUR LANGUAGE? USE https://translate.google.com

@@@@@@@ What happened to your files ?
@@@@@@@ All of your files were protected by a strong encryption with RZA4096
@@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

@@@@@@@ How did this happen ?
@@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
@@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet.
@@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server

@@@@@@@ What do I do ?
@@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
@@@@@@@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment

Your personal ID: E51DC23B02AF

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1 - http://fkqzszmqtuskqtb6.onion.to
2 - http://fkqzszmqtuskqtb6.onion.cab
3 - http://fkqzszmqtuskqtb6.onion.city

If for some reasons the addresses are not available, follow these steps:

1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - After a successful installation, run the browser
3 - Type in the address bar - http://fkqzszmqtuskqtb6.onion
4 - Follow the instructions on the site

Be sure to copy your personal ID and the instruction link to your notepad not to lose them.



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:21 PM

Posted 04 August 2016 - 01:42 PM

@andiamo11

You have already posted in the CryptXXX topic. Your files were hit by CryptXXX, not Simple_Encoder. This ransomware adds the tilde character as an extension, and as posted, the ransom note is completely different.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:08:21 PM

Posted 04 August 2016 - 01:43 PM

The .crypz extension indicates CryptXXX - an entirely different ransomware. 

 

Upload an encrypted file and the ransom note to the ID-Ransomware website:https://id-ransomware.malwarehunterteam.com/

 

If confirmed, you need to post in this topic: http://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-88

 

Oops, the Demon Slayer beat me to it. 


Edited by cybercynic, 04 August 2016 - 01:44 PM.

We are drowning in information - and starving for wisdom.


#14 andiamo11

andiamo11

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 04 August 2016 - 05:45 PM

thanks guys, but I did post in that forum and didn't get an answer so I gave it another try...thanks!



#15 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:08:21 PM

Posted 04 August 2016 - 06:37 PM

Read this article:http://www.bleepingcomputer.com/news/security/cryptxxx-providing-free-keys-for-crypz-and-cryp1-versions/

 

It may no longer apply, however.

 

Also, Trend Micro has a decrypter which MAY work in your case. Read the instructions carefully for CryptXXX decryption.

 

This is all covered in the CryptXXX topic - you should return there to post further.


We are drowning in information - and starving for wisdom.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users