Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CrypMIC (CryptXXX imposter) Support and Help Topic


  • Please log in to reply
427 replies to this topic

#31 Third-Eye

Third-Eye

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 August 2016 - 05:22 AM

matejh-

 

The file was located in the user's profile folder. Specifically it was in %USERPROFILE%\AppData\Local\Temp and was named "radA4E55.tmp.dll". That follows the apparent naming convention used by this ransomware, which is apparently: rad{randomhexcharacters}.tmp.dll as has been documented on Trend Micro's blog here: http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/

 

There were also a couple other suspicious randomly named .tmp files and 2 .KEY files in the same location, PAB.KEY & PPP.KEY, all bearing timestamps that were close to each other.  If you are manually searching for these files in the user profile folder I would suggest sorting your details view by the date modified field and look for those that appear near each other in the list.

 

_________

 

There are files that were untouched on this client as well. For instance, the Outlook .pst file was not encrypted... most likely due to the fact that Outlook was open and running at the time, therefore the file couldn't be modified. It also failed to encrypt some open database files as well.

 

After further examination of some log files I have found that Symantec did capture a random js downloader at roughly the same time that the encryption began (based upon timestamps) and I suspect that may have been the original delivery agent... but apparently it did not arrest it fast enough.  And since it was cleaned by deletion I don't have the ability to resurrect that file.

 

One final note on our particular case. This client was protected with CryptoPrevent from Foolish IT as well, but that did not prevent this incident from occurring unfortunately.

 

And as with almost anything of this nature, having users react quick enough to suspicious activity is always the challenge. This appears to have been in process for at least 35 minutes before it was reported... and by then the damage had been done.  Again, hope all or part of this helps someone else out there... good luck with your recoveries!



BC AdBot (Login to Remove)

 


#32 matejh

matejh

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 August 2016 - 05:28 AM

matejh-

 

The file was located in the user's profile folder. Specifically it was in %USERPROFILE%\AppData\Local\Temp and was named "radA4E55.tmp.dll". That follows the apparent naming convention used by this ransomware, which is apparently: rad{randomhexcharacters}.tmp.dll as has been documented on Trend Micro's blog here: http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/

 

There were also a couple other suspicious randomly named .tmp files and 2 .KEY files in the same location, PAB.KEY & PPP.KEY, all bearing timestamps that were close to each other.  If you are manually searching for these files in the user profile folder I would suggest sorting your details view by the date modified field and look for those that appear near each other in the list.

 

_________

 

There are files that were untouched on this client as well. For instance, the Outlook .pst file was not encrypted... most likely due to the fact that Outlook was open and running at the time, therefore the file couldn't be modified. It also failed to encrypt some open database files as well.

 

After further examination of some log files I have found that Symantec did capture a random js downloader at roughly the same time that the encryption began (based upon timestamps) and I suspect that may have been the original delivery agent... but apparently it did not arrest it fast enough.  And since it was cleaned by deletion I don't have the ability to resurrect that file.

 

One final note on our particular case. This client was protected with CryptoPrevent from Foolish IT as well, but that did not prevent this incident from occurring unfortunately.

 

And as with almost anything of this nature, having users react quick enough to suspicious activity is always the challenge. This appears to have been in process for at least 35 minutes before it was reported... and by then the damage had been done.  Again, hope all or part of this helps someone else out there... good luck with your recoveries!

 

Tnx for the answer, I already found a similar file in the folder, it was named radDB51A.tmp.dll, deleted all files in the temp folder.

Anybody tried to pay the ransom? Btw. does enybody know if after deleting it is safe to use the computer or not or what to do to be 100% you can use the computer.

As far as I have seen it doesn't spread on other computers, it "just" decrypts the files in the mapped drives.


Edited by matejh, 11 August 2016 - 06:13 AM.


#33 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:20 AM

Posted 11 August 2016 - 05:31 AM

...Anybody tried to pay the ransom?

Some victims reported they paid the ransom and were successful in decrypting their data. Other victims reported they paid the ransom but the cyber criminals did not provide a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Keep this in mind if you are considering paying the ransom since there is no guarantee decryption will be successful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#34 matejh

matejh

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 August 2016 - 05:40 AM

 

...Anybody tried to pay the ransom?

Some victims reported they paid the ransom and were successful in decrypting their data. Other victims reported they paid the ransom but the cyber criminals did not provide a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Keep this in mind if you are considering paying the ransom since there is no guarantee decryption will be successful.

 

 

Tnx for the answer, this is probably the general experience, I was wondering specifically about this ransomware.


Edited by matejh, 11 August 2016 - 05:41 AM.


#35 Third-Eye

Third-Eye

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 August 2016 - 06:27 AM


 

Tnx for the answer, I already found a similar file in the folder, it was named radDB51A.tmp.dll, deleted all files in the temp folder.

Anybody tried to pay the ransom? Btw. does enybody know if after deleting it is safe to use the computer or not or what to do to be 100% you can use the computer.

As far as I have seen it doesn't spread on other computers, it "just" decrypts the files in the mapped drives.

 

 

We did not, and will not, attempt to pay. I have seen no further indication of any activity on this client, and it still sits in the infected state. I have created new files and they are untouched... but I have not given the client a network connection either.  Personally I don't trust anything that's been compromised... I will be wiping it eventually.



#36 matejh

matejh

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 August 2016 - 06:57 AM

 


 

Tnx for the answer, I already found a similar file in the folder, it was named radDB51A.tmp.dll, deleted all files in the temp folder.

Anybody tried to pay the ransom? Btw. does enybody know if after deleting it is safe to use the computer or not or what to do to be 100% you can use the computer.

As far as I have seen it doesn't spread on other computers, it "just" decrypts the files in the mapped drives.

 

 

We did not, and will not, attempt to pay. I have seen no further indication of any activity on this client, and it still sits in the infected state. I have created new files and they are untouched... but I have not given the client a network connection either.  Personally I don't trust anything that's been compromised... I will be wiping it eventually.

 

 

I think this client will pay, I will let you know what will happen.


Edited by matejh, 11 August 2016 - 06:57 AM.


#37 ruskata

ruskata

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 11 August 2016 - 07:02 AM

@matejh tell him to not get his hopes up, 3 friendly companies were hit by CryptMIC and all paid the first lower fee, received the decryptor and all - it did not work. Well made cryptovirus, poorly made decryptor... Our company got hit too, but we didn't pay, since i have backups on the important files. Still, I have some old docs we need, so i'll be waiting for externally made decryptor.

Keep us updated!



#38 matejh

matejh

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 August 2016 - 07:05 AM

@matejh tell him to not get his hopes up, 3 friendly companies were hit by CryptMIC and all paid the first lower fee, received the decryptor and all - it did not work. Well made cryptovirus, poorly made decryptor... Our company got hit too, but we didn't pay, since i have backups on the important files. Still, I have some old docs we need, so i'll be waiting for externally made decryptor.

Keep us updated!

 

Tnx for the info, will let you know.



#39 matejh

matejh

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 August 2016 - 07:26 AM

 so i'll be waiting for externally made decryptor.

 

Btw. approximately what are the chances, that a working externally made decryptor will ever be made? 10%? 50%? 100%? Luckily up to now I didn't have to bother with this stuff so I don't have any real experience or knowledge ...



#40 ziozioporcozio

ziozioporcozio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 11 August 2016 - 10:12 AM

matejh-

 

The file was located in the user's profile folder. Specifically it was in %USERPROFILE%\AppData\Local\Temp and was named "radA4E55.tmp.dll". That follows the apparent naming convention used by this ransomware, which is apparently: rad{randomhexcharacters}.tmp.dll as has been documented on Trend Micro's blog here: http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/

 

There were also a couple other suspicious randomly named .tmp files and 2 .KEY files in the same location, PAB.KEY & PPP.KEY, all bearing timestamps that were close to each other.  If you are manually searching for these files in the user profile folder I would suggest sorting your details view by the date modified field and look for those that appear near each other in the list.

 

_________

 

There are files that were untouched on this client as well. For instance, the Outlook .pst file was not encrypted... most likely due to the fact that Outlook was open and running at the time, therefore the file couldn't be modified. It also failed to encrypt some open database files as well.

 

After further examination of some log files I have found that Symantec did capture a random js downloader at roughly the same time that the encryption began (based upon timestamps) and I suspect that may have been the original delivery agent... but apparently it did not arrest it fast enough.  And since it was cleaned by deletion I don't have the ability to resurrect that file.

 

One final note on our particular case. This client was protected with CryptoPrevent from Foolish IT as well, but that did not prevent this incident from occurring unfortunately.

 

And as with almost anything of this nature, having users react quick enough to suspicious activity is always the challenge. This appears to have been in process for at least 35 minutes before it was reported... and by then the damage had been done.  Again, hope all or part of this helps someone else out there... good luck with your recoveries!

The point is that i can't format my pc for the large number of programs and connections that i should redo. I have my file on an external HD but i don't want to connetect this HD to the pc if i'm 100% sure that i not compromise the file.



#41 Third-Eye

Third-Eye

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 11 August 2016 - 10:40 AM

 

The point is that i can't format my pc for the large number of programs and connections that i should redo. I have my file on an external HD but i don't want to connetect this HD to the pc if i'm 100% sure that i not compromise the file.

 

 

Unfortunately that's a decision that you alone have to make.  As I said previously, personally I don't trust any system that's been compromised.  If it was in my hands, despite the work involved in recreating the client, I would wipe it.  That is the only 100% guarantee in my opinion.  Others may have a different opinion though. In any case, good luck!



#42 hellovovo

hellovovo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 12 August 2016 - 12:37 AM

hi, I got hit with the same virus 2 day ago (windows xp) , and paid yesterday, got a download decryptor link , the decryptor (MicrosoftDecryptor_v2016-08-12.exe) didn't work in inflected computer, showed "CryptoLibrary failed (1)", I tried to copy files to another computer (windows 8.1) and ran the decryptor...and it finally worked! my files decrypted. I uplaoded decryptor and encrypted file for test.

i wish it can help.....

 

test file download link:

https://drive.google.com/file/d/0Bx_HQkkJjrY2VkhQMklfeVNVVGM/view?usp=sharing

 

thanks.


Edited by hellovovo, 12 August 2016 - 12:39 AM.


#43 Gevaudan37

Gevaudan37

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 12 August 2016 - 12:03 PM

    Hi.
    My PC got infected last week. I cleaned the infection but, unfortunately, I can't recover my encrypted files. These files are full of nice memories, photos, and small writings (I like a lot to write short stories). But I will not pay to these sick dudes that have hit my belongings.
    I hope Trend Micro or some smart guy will make a decryptor.
    Hellovovo, what does that .exe program do? Does it decrypt the file and then it deletes the original encrypted one?
 



#44 dstones

dstones

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 12 August 2016 - 03:58 PM

Can anyone validate hellovovo's post here? Is this legit? Does it actually work?

 

 

hi, I got hit with the same virus 2 day ago (windows xp) , and paid yesterday, got a download decryptor link , the decryptor (MicrosoftDecryptor_v2016-08-12.exe) didn't work in inflected computer, showed "CryptoLibrary failed (1)", I tried to copy files to another computer (windows 8.1) and ran the decryptor...and it finally worked! my files decrypted. I uplaoded decryptor and encrypted file for test.

i wish it can help.....

 

test file download link:

https://drive.google.com/file/d/0Bx_HQkkJjrY2VkhQMklfeVNVVGM/view?usp=sharing

 

thanks.


Edited by dstones, 12 August 2016 - 04:06 PM.


#45 dstones

dstones

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 12 August 2016 - 04:21 PM

I just tried on some of my own sample files from CrypMIC and no luck






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users