Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with unknown ransomware


  • Please log in to reply
13 replies to this topic

#1 Teone11

Teone11

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 02 August 2016 - 02:46 AM

Hi All, one of my customer was infected with some ransomware i cannot identify and  forgive me if there is already a thread about.

sorry for the lack of info but i don't have here the infected computer. we are communicating via email right now.

 

Id ransomware is not able to identify. i try to upload a couple of pdf files he sent me but it cannot identify the infection

(SHA1: f99743597adcabdbcc4bc0c0f23a4cc11905da3c) , (SHA1: 4e0f34d7b06afe2913827dc4238f51a4f3848930)

 

Apparently extension  remains the same as in original.

In every infected folder there are two files.

 

1- PLEASEREAD.ME   (following what's inside using notepad)

 

ID:443826
PC:SERVERA
USER:Administrator
=======
Hi. I've got the key to decrypt your files.

my emails*:

the.dodger@protonmail.com
logical.disk@yandex.com
windows.update@moscowmail.com

* check your junk/spam folder for my reply :-)

These files have been encrypted (please, keep this file): C:\Users\Administrator\Documents\443826.log

 

2- THISISA.KEY000 (the other files left)

 

B36D206532F3C69C7005DBA5B4562CD89D7A958404CE71F22252556065C4F364D7BAD258D92742F

7A6CB586E2A05439E436947C4CB57202FA1CB3729E2162485C46553AAA5D9898FA462256C8CFF287

56A16745C8929441ECA14CEAC4427C057B4B0A9C9F3A2930C2961823A965B55C4F98E2840136BAC

6F35AECA115F8587EF7BCAA85A851EDFD6A3C7B1D0D5034A2F1DDDC2C968F52B4AA57AAD709F3E

756401F8030E9EEB761AD196308193CACFE147E9E17225357FC74F102CBA75CC27E7E3F20DAF800E

5AD5B143AEB5FCBDC8D06FCEF3A81CC6AB3DF8D3C816FCF88859922F9BBDA16D0321055FF0A56F

0499EB313F88CD441FBB137E7CA0DADDE65FC29037D917C8D79F6ECD18F7C5F85AD1EFBF12318A

55AF80E08C79C4C173303793794C515C84BF944C4113AE12C2F032157EB38C31F2B7ABA49B752762

B2D32482D2B73B4333455B9481CE8EC8FF486C1A673C687EC65625BB8A732C0DCAD5A5C6FE191F7

B2185002F9065C61F4D58F67EABE949CC7055EBBF02FB4FCE2485283F872376CC9F3D44633A4DFF

D9F75A2E5DEA03DA259B051F10F76CA6FDCA40289081E2FE031FC6D4EE0ACC1C4D0F42372084C608

E029219E667DAB6B891C0F9C5CA22EAF5E771232B172D3AEFB039E81300200D294C0E4F856A36E14D

514EE0D11A918F85D4C53298648C244B63E2C90B93104F06287E7DDF827FB266DE6B4F26C

 

any help would be appreciated.

 

thansk to everyone

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 PM

Posted 02 August 2016 - 04:01 AM

Hi All, one of my customer was infected with some ransomware i cannot identify ...Apparently extension  remains the same as in original.

I'm not sure what you mean by that. What exactly is the extension that is appended to your files? What is the name of the ransom note?

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

These are some common locations malicious executables hide:
%SystemDrive% (C:\)\<random>.exe
%SystemRoot% (C:\Windows)\<random>.exe
%Temp%\<random>.exe
%AppData%\<random>.exe
%LocalAppData%\<random>.exe
%ProgramData%\<random>.exe
%WinDir%\<random>.exe


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Teone11

Teone11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 02 August 2016 - 04:16 AM

Hi Quiteman, i don't have here customer's computer or hdd so i cannot check it correctly. As far as i understand form him there are no ransom note in html,png, txt but only that PLEASEREAD.ME file. i just uploaded a pdf files he sent me so you can check it. the extension is as in original (*.pdf remains *.pdf, *.jpg remains *.jpg and so on)

i just upload also a zip with all file i received form customer until now. i hope it helps


Edited by Teone11, 02 August 2016 - 04:18 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:01 PM

Posted 02 August 2016 - 08:25 AM

This looks new. We'll have to have a sample of the ransomware itself to analyze. You'll need to have the victim scan their system and try to find it, or find out where they got it from (downloaded file, email attachment, etc.).

 

I am seeing each encrypted file you submitted has the same 32 bytes in the header.

f1 6f c1 68 18 6d c1 52 e9 8c 16 09 dc 14 09 11    ñoÁh.mÁRéŒ..Ü...
cc ac 36 2c 4e 25 c3 c2 40 6a e2 91 ce c8 79 3b    ̬6,N%ÃÂ@jâ‘ÎÈy;

This could be an identifier for the ransomware, or simply an identifier for the victim.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Teone11

Teone11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 02 August 2016 - 09:24 AM

I sent him an email but still waiting for an answer. I just hope he decide to bring his drive here in my hand so that i can provide you anything you need



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 PM

Posted 02 August 2016 - 12:34 PM

No problem...we certainly understand the situation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Teone11

Teone11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 04 August 2016 - 01:26 AM

Sorry Gentlemen but i'm still waiting for an answer from customer. I just send him another email...I hope he'll answer this time.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 PM

Posted 04 August 2016 - 06:50 AM

Doesn't sound like he is too concerned.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:01 PM

Posted 04 August 2016 - 08:06 AM

We have a suspicion this may be Mobef. Would really like to see a sample before putting it in concrete.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 FranzGanz

FranzGanz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 04 August 2016 - 10:02 AM

Hi,

My customer was infected yesterday with the same ransomware, so if you need more data I can send you.

 

File Pleaseread.me

------------------------------

 

ID:443826
PC:SRV2008R2
USER:Administrator
=======
Hi. I've got the key to decrypt your files.
 
my emails*:
 
the.dodger@protonmail.com
logical.disk@yandex.com
windows.update@moscowmail.com
 
* check your junk/spam folder for my reply :-)
 
These files have been encrypted (please, keep this file): C:\Users\Administrator\Documents\443826.log
 
------------------------------
 
File THISISA.KEY000
------------------------------
049D8F05FF64EEA246CF5FAAAD19D056C54610735FF697CF9343DF1CDA88412EAA8E37E19A388ED26C3CDBFBFA0AD0C4D9EB17B175B4C2B8F2FE028E336D2514BC4922400838A03C394241873F3E69078B8ACBB41D0E9C6F1BA5BBCCDA3DD83DD8E8E87FEDD105C19088FD74D21D72AC31D0A920FA4524E9703F35D426726591EFBD23B7B597CCEB10B01117157655B4C5FE5AAE9091D3EE1BD16576D488891103B2DD259B1161F45DC92487842F46BAE688813F71DDCC8B2D1422FE82F36F3931C1318E5DA708D22A2B18065B4D302B49E19C0AFD1B5246E96891ED783C12ED41C652BE1C3B6A32DC04F9DB4FCFCD747213437E8D2337D6D7EC928C9A3D9B2EA732AA6B1D538877E8386EC968B69ABC4985F833156AD4BCD4373E7AF7C275ACA45EDFC272FFB66B243009FEB95EBEAF6FC6F2250F246CBE625C2032E5FC76EB53A86A7CBE676CC4B85FD6E23BCDBF375D8D4AF4429663335D25EEE905EA79B3544D182BA87C6C37A295671E8E23FFCCCC6252E74683B4D1BE20F3152BD73C17A46DB66274FE82CFA47D0536BDDD547A4C4C641C4A281F5B5C2F3793AD22772E7AE40824E59607A9F35932A88F59628A204AB8903C35ED0016F7ABD74780122F2508FD404DFA6A4D0D423C5EC078EA94950D757D4A8E38BDA19FCB2858E5683D72D0A83F7E38160C831E3DE15A8DDE9A57A5024638830110E4822A6393629B99
 
Regards,
Franz


#11 Teone11

Teone11
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 04 August 2016 - 11:33 AM

probably my customer is more concerned about vacations right now...but i bet he brings the drive to someone else.

Franz if you can provide requested files by Demonslay it would be great....and faster



#12 schmaili

schmaili

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 05 August 2016 - 02:37 AM

got exactly the same thing in the morning of 26 july (started at 5 in the monring) it encrypted a lot of files without changing file name extensions. it left the files "pleaseread.me" and "thisisa.key000" in every affected directory. not a single AV program is capable of detecting it. some systems were so heavily damaged, they won't start after reboot. it did spread using files shares already uploaded samples to https://id-ransomware.malwarehunterteam.com/ last week. is it just a coincidence that Win2008 systems are affected?

#13 sunlight76

sunlight76

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 22 August 2016 - 04:09 AM

Hi, I have same problem here. I'm able to give more information if required.

Any news on how to solve ?

thanks



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:01 PM

Posted 22 August 2016 - 04:19 PM

If you have further information, please provide it for Demonslay335 but as he noted above, we would like to see a sample.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users