Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jager Ransomware Help & Support (Important_Read_Me.html)


  • Please log in to reply
2 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:16 PM

Posted 26 July 2016 - 10:30 AM

Another ransomware has been spotted, calling itself "JagerDecryptor". A sample was recently secured by Jakub Kroustek.

 

Once the ransomware has infected a system, it will generate a new AES-256 key for each file it encrypts. This AES key is encrypted with RSA and appended to the end of the file along with the AES IV and other information.

 

Of particular interest, any encrypted file will have "!ENC" as the first 4 bytes of the file.

 

Victims are presented with the following file "Important_Read_Me.html" for the ransom note, and asked to email the criminals at smartfiles9@yandex.com.
 

CoR_3i1XEAA1Tn5.jpg

 

The following extensions are targeted.

 

.3DM, .3DS, .3G2, .3GP, .7Z, .ACCDB, .AES, .AI, .AIF, .APK, .APP, .ARC, .ASC, .ASF, .ASM, .ASP, .ASPX, .ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT, .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DDS, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .FRM, .GADGET, .GBK, .GBR, .GED, .GIF, .GPG, .GPX, .GZ, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, .JKS, .JPG, .JS, .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, .M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .MP3, .MP4, .MPA, .MPG, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV, .PRIVAT, .PS, .PSD, .PSPIMAGE, .PY, .QCOW2, .RA, .RAR, .RAW, .RM, .RSS, .RTF, .SCH, .SDF, .SH, .SITX, .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .SRT, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI, .SXM, .SXW, .TAR, .TBK, .TEX, .TGA, .TGZ, .THM, .TIF, .TIFF, .TLB, .TMP, .TXT, .UOP, .UOT, .VB, .VBS, .VCF, .VCXPRO, .VDI, .VMDK, .VMX, .VOB, .WAV, .WKS, .WMA, .WMV, .WPD, .WPS, .WSF, .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT, .XLTM, .XLTX, .XLW, .XML, .YUV, .ZIP, .ZIPX, .DAT

 

The following folders are skipped.

 

Application Data, AppData, Program Files (x86), Program Files, Temp, $Recycle.Bin, System Volume Information, Boot, Windows, ProgramData

 

Analysis is still underway with this ransomware. Thanks to MalwareHunterTeam for assistance in the analysis.


Edited by Demonslay335, 26 July 2016 - 10:45 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 needhelp99

needhelp99

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 31 July 2016 - 06:58 AM

Hello, I actually registered today on this forum, because my computer got infected by this!

I searched on google for how to remove it but all the guides say basically the same; all want me to install this software SpyHunter to remove it, but I would have to pay to use it -.-

I don't have any experience how to deal with this, please help me...


Edited by needhelp99, 31 July 2016 - 08:00 AM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:16 PM

Posted 31 July 2016 - 11:33 AM

Sorry to hear. We finished analyzing this one, and it is not decryptable. The C2 server with the keys was suspended by time we got ahold of the samples, so unless the criminals had a backup or something, the keys are gone forever, and there is no chance of guessing them. I would definitely not pay the ransom, as I don't believe they will have the keys.

You can always try recovery software such as Recuva, ShadowExplorer, or PhotoRec, always worth a try.

For removal, I would recommend scanning with MalwareBytes and HitmanPro - they are completely free. SpyHunter is honestly garbage in my opinion. If you need assistance with malware removal, you can always post a topic in the Malware Removal forums.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users