Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible New Variant - .encrypted extensions, helprecover@ghostmail.com


  • This topic is locked This topic is locked
7 replies to this topic

#1 TechGuru11

TechGuru11

  • Members
  • 92 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 02 August 2016 - 04:25 PM

Hello,

 

Here is the ransom note: https://www.sendspace.com/file/53jf4u

 

here is a sample file: https://www.sendspace.com/file/ps6gb5

 

Does not appear to be either of the apocalypse variants or cryptolocker. 

 

You can't create an account on ghostmail if you try so paying the ransom is not a possibility. I searched the forums and didn't see anything about this and also tried the ransomware identifier site. Has anyone seen this before and could it be decryptable?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:42 PM

Posted 02 August 2016 - 05:42 PM

TorrentLocker (Crypt0L0cker), Apocalypse, KeRanger OS X and Crypren Ransomware all add an .encrypted extension to the end of filenames.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 92 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 05 August 2016 - 09:27 AM

Hello,

 

I used the ID Ransomware page and it found just two variants based on their extensions but this is neither. Also, the case SHA1 is not generated because it appears this utility is identifying the variant based on the extension. I haven't seen anyone with the same ransom note and you can't contact the perps at the email address provided. Is there no solution?



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 05 August 2016 - 09:31 AM

I know I've seen that ransom note before, but couldn't identify it. Can't remember if there is a victim here on the forums with it already.

 

Was the original name of the ransom note literally "Ransom note.PNG"? Renaming files will confuse us when matching symptoms for hunting.

 

I'm afraid nothing can be done without a sample of the ransomware itself for analysis - of course even then there is no guarantee it is decryptable.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 92 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 05 August 2016 - 10:09 AM

Sorry about that.

 

Actual ransom note: https://www.sendspace.com/file/j7alb8

 

Another sample file: https://www.sendspace.com/file/ownpb6



#6 TechGuru11

TechGuru11
  • Topic Starter

  • Members
  • 92 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 08 August 2016 - 03:34 PM

Does anyone have any information on this? Seeing it often and no information on this forum. Thank you.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 13 August 2016 - 11:44 PM

If anyone happens to stumble across this topic, this ransomware has been identified. More information in the support topic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:42 PM

Posted 15 August 2016 - 12:21 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.
 
Thanks
The BC Staff


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users