Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ramsomware?


  • Please log in to reply
7 replies to this topic

#1 jorekami

jorekami

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 August 2016 - 11:17 AM

Hi,

Some files has been encrypted in a pc in my company. I think that is a new ransomware.

The file's name changes to: original_name_file.extension!______PANDORA71777@GMAIL.COM_____.c300

I've searched about this extension (.c300) but I didn't see anything. There isn't any .txt or .html file with instructions, etc.

I've tried to identify using https://id-ransomware.malwarehunterteam.com/ but doesn't identify anything.

SHA1 is: bd0bfa1f556233335f2a3fea30e4f9155a8d5027


Thanks in advance



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:35 AM

Posted 03 August 2016 - 11:22 AM

This does look new. I saw your submission come through, only one other user has uploaded a file with that extension (they didn't upload a ransom note either).

 

The email isn't pulling up anything on Google. I'm assuming it is a kit since the email address is in the filename.

 

We will need a sample of the malware to analyze. You can run scans with MalwareBytes, HitmanPro, or FRST to try finding the malware. Also search download histories, and email attachments. Usually, the new owner of the files is the user account that was infected.

 

You may submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 jorekami

jorekami
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 August 2016 - 11:36 AM

Hi,

 

First at all, thanks for your help and time.

 

 

I've just submited a encrypted file in this link. Also, tomorrow I'll can scan this pc with these utilities to try to find malware.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:35 AM

Posted 03 August 2016 - 11:43 AM

I'm seeing the following bytes at the end of every encrypted file you submitted.

80 00 00 03    €...

We are thinking this might be a new variant based on Gomasom. The extension and pattern of having 4 bytes at the end are very similiar. Will need a sample to confirm, but you could give this decrypter a try: http://www.bleepingcomputer.com/news/security/gomasom-crypt-ransomware-decrypted/

 

If you can also supply some files that you have the original for so we can compare.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 jorekami

jorekami
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 August 2016 - 11:57 AM

I tried with gomason decrypter but doesn't work (I've drag and drop original and encrypted file to gomason decrypter but it cannot decrypt). I just submited an original and encrypt file just now.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:35 AM

Posted 03 August 2016 - 12:12 PM

Can you try renaming the encrypted file to .crypt instead of .c200, then try the decrypter with the pair? I got it to at least start the brute-force by doing that. I don't have an open CPU to let it continue though, it may take several hours.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 jorekami

jorekami
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 August 2016 - 12:21 PM

Ok! Renamed and try again. 0,61% and up!

 

I'll post the result when process finish. Thanks!



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:35 AM

Posted 13 August 2016 - 09:37 AM

Any results from the Gomasom decrypter, did it find a key for you? Were you able to decrypt files?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users