Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware That Did Not Change File Extension


  • This topic is locked This topic is locked
3 replies to this topic

#1 Tech83

Tech83

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 11 August 2016 - 09:23 AM

I've recently had a client who looks like they got hit with a Ransomware virus but it did not change the file extensions. It simply makes them unable to open the file (says it is corrupted).

 

There is a readme file in the folders that are infected with instructions on how to pay for the decryption key.

 

I also cannot find the source PC that caused the infection. I have checked all the PCs that were on when the infection took place and see no evidence that an infection ever occured. Maybe they are getting smarter and not infecting local machines and only network drives?

 

Anyone else run into anything similar yet?

 

Readme says:

 

"what happened to your files?

All your files were protected by a strong encryption with RSA4096

More information about the encryption keys using RSA4096 can be found here: wikipedia page about cryptosystem.

 

How did this happen?

!!! Specifically for your PC was generated personal RSA4096 key, both public and private

!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.

!!! Decrypting of your files is only possible with the help of a private key and decrypt program, which is on our Secret Server

 

what do i do?

So, there are two ways you can choose: wait for a _miracle_ and get your PRICE DOUBLED, or start obtaining BITCOIN now! and restore your data easy!

If you have really valuable DATA, you better not WASTE YOUR TIME, because there is no other way to get your files except make a payment

 

Your personal ID: (It lists ID)

 

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

 

Gives websites (removed)

 

If for some reasons the addresses are not availablweropie, follow these steps:

 

Gives instructions to download tor-browser and get to webpage.


Edited by Tech83, 11 August 2016 - 09:35 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:48 AM

Posted 11 August 2016 - 09:35 AM

Use the website in my signature to upload a ransom note and encrypted file for identification. Despite there being no extension added to the files, many ransomware have a unique hex pattern they embed in the file; ID Ransomware can pick up on those. The most common one out there that has this behavior right now is CrypMic, which is not decryptable - ID Ransomware can detect it and will point you to the correct information.

 

If the service cannot identify the ransomware, you may post the Case SHA1 it provides so I can inspect the files manually.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Tech83

Tech83
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 11 August 2016 - 09:50 AM

It was identified as CrypMic.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 AM

Posted 11 August 2016 - 05:02 PM

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users