Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp


  • Please log in to reply
48 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 PM

Posted 11 August 2016 - 07:52 PM

A new ransomware has been floating around for the past few weeks, and only now have we been able to find information on it.

 

Dubbed Smrss32 based on internal project settings of the malware, this ransomware encrypts files with AES and appends the extension ".encrypted" (which is also used by several other ransomwares). The ransom note "_HOW_TO_Decrypt.bmp" is dropped in every folder that is hit, and will look like the following image, asking the victim to contact the criminals at helprecover@ghostmail.com, among other email addresses.

 

CpGzF1AXEAAD1Cy.jpg

 

Among the large wall of text, it does try to call itself "CryptoWall Software", but it is in no way nearly as sophisticated as the real thing.

 

Based on the way this ransomware behaves, and the project file associated with it, it is assumed this variant is spread via manual RDP hacks into a system.

 

I do not recommend paying the ransom at this time.

 

If you have been hit by this ransomware, please post 2-3 different well-known encrypted files here (e.g. .png, .doc, .docx, .xls, .xlsx, .pdf, or .zip), and we will contact you via PM with a key and decrypter.


Edited by Demonslay335, 22 August 2016 - 02:36 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:08 AM

Posted 12 August 2016 - 04:34 AM

Smrss32 skipped files with the extension .bmp.
 
The listed of targeted extensions:
.18113 .3gp2 .3gpp .8pbs .acs2 .acsm .aifc .aiff .albm .amff .ascx .asmx .aspx .azw3 .back .backup .backupdb .bank .bdmv .blob .bndl .book .bsdl .cache .calb .cals .cctor .cdda .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .ciff .class .clipflair  .clpi .conf .config .contact .craw .crtr .crtx .ctor .ctuxa .d3dbsp .data .dazip .ddat .ddoc .ddrw .desc .divx .djvu .dmsk .dnax .docb .docm .docx .dotm .dotx .dsp2 .dump .encrypted .epfs .epub .exif .fh10 .flac .fmpp .forge .fsproj .gray .grey .group .gtif .gzip .h264 .hkdb .hplg .html .hvpl .ibank .icns .icxs .ilbm .im30 .incpas .indd .indt .ipsw .itc2 .itdb .ithmb .iw44 .java .jfif .jhtml .jnlp .jpeg .json .kdbx .kext .keychain .keychain .kpdx .lang .latex .lay6 .layout .ldif .litemod .log1 .log2 .log3 .log4 .log5 .log6 .log7 .log8 .log9 .m2ts .m3url .macp .maff .mcmeta .mdbackup .mddata .mdmp .menu .midi .mobi .moneywell .mp2v .mpeg .mpga .mpls .mpnt .mpqge .mpv2 .mrwref .ms11 .msmessagestore .mspx .mswmm .oeaccount .opus .otpsc .pack .pages .paint .phtml .pict .pj64 .pkpass .pntg .potm .potx .ppam .ppsm .ppsx .pptm .pptx .ppxps .psafe3 .psmdoc .pspimage .qcow2 .qdat .qzip .rels .rgss3a .rmvb .rofl .rppm .rtsp .s3db  .sas7bcat .sas7bdat .sas7bndx .sas7bpgm .sas7bvew .sidd .sidn .sitx .skin .sldm .sldx .smil  .sqlitedb .svg2 .svgz .targa .temp .test .text .tiff .tmpl .torrent .trace .tt10 .uns2 .urls .user .vcmf .vfs0 .view .vmdk .wallet .wbmp .webm .webp .wlmp .wotreplay .wrml .xbel .xfdl .xhtml .xlam .xlsb .xlsm .xlsx .xltm .xltx .xspf .xvid .ycbcra .ychat .yenc .zdct .zhtml .zipx .ztmp
 
Total: 233 extensions, the list is cleaned from duplicates is type .BACKUPDB and .backupdb and others.
 
If i something do not see - fix.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 loopbackbr

loopbackbr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 12 August 2016 - 12:23 PM

If anybody want's additional info, the infected machine stills untouched.



#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:08 PM

Posted 12 August 2016 - 05:22 PM

Thanks...we are still trying to figure out a solution. Hang tight. You may want to image the drive if you need to get it up and running again.



#5 trixiebix

trixiebix

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 16 August 2016 - 09:26 AM

We had a customer get hit with this last week. Found that their local profiles still had "previous versions" (shadow copies) accessible. So we were able to recover their profiles and documents that way. Found some of the computers had smrss32.exe in the c:\encryptor folder. Some were empty. Also found a few computers that were not affected had their profiles wiped out, which was strange. They rdp'd into the servers and to any desktops they could hit. 


Edited by trixiebix, 16 August 2016 - 09:47 AM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 PM

Posted 16 August 2016 - 10:02 AM

If anyone has paid for a key, I would love to see it via PM please.

 

@trixiebix

 

Can you submit the smrss32.exe here so I can verify there are no modifications? http://www.bleepingcomputer.com/submit-malware.php?channel=168

Also if any files are left along with smrss32.exe in the same folder as it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 0E800

0E800

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 PM

Posted 16 August 2016 - 02:22 PM

Once on the systems, the attacker launches a web page and visits the following site to download the ransomware payload:

$USER/AppData/Roaming/Microsoft/Windows/Recent/uyy.lnk (was unable to get remote address)

 

 

A zip file with a random three letter filename is then dropped onto the system. The ransomware payload (smrs32.exe) is then unpacked and launched.

 

Note that it appears the malware is not compatible with WS2003 as only Windows 7 and WS2008 machines were encrypted with the ransomeware.

It was confirmed that the attackers did access our older servers but none of those systems were tampered with.

 

Best thing to do is to turn off computers when not in use, and make sure to have a password lockout policy in place.

Change the RDP port to something other than default. Do not use easy to guess passwords.
 



#8 Praetorians

Praetorians

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 17 August 2016 - 04:07 AM

Hello all. Since this is my first post in this forum, initially I would like to thank all the members for their invaluable input and help.

Yesterday one of our computers, a Win7 machine was infected with a ransomware resulting in all files being encrypted with ".encrypted" extension. Many of the files were backed up on an external hdd 4TB, which unfortunately was also left connected to the PC overnight. UAC was disabled on the machine and Sophos apparently wasn't able to do much. The PC had also RDP enabled default ports and weak pass... yep I know :(
Thankfully when the user woke up his PC in the morning, the first thing he did was disconnecting the external hdd so not all the files were encrypted in there (too many files and many large ones like videos etc. I presume).

I'm not a very tech savvy person, so after bypassing dhe "lockscreen" through Safe Mode, I tried to identify the ransomeware through HitmanPro and Malwarebytes with not much luck. All I could find were some WinIo32.sys, winlogon.exe and conhost.exe files apparently malicious identified as Trojan.backdoors.

After that I tried to identify the threat online through ID Ransomware by uploading the text file and one encrypted file.
I got 2 results: potentially Apocalypse or Smrss32.

I tried both Emsisoft and AVG Apocalypse decryptors on the files with no success. Emsisot says "apparently the files are not encrypted", while AVG returns 0 decryptions. The text files appears to be more like the one of Apocalyspse than the Smrss32 one I see here. However I think I'm left with with Smrss32 as the only remaining option

Can anyone suggest another identification method to be certain if it is or not Smrss32? There was no c:\encrypted folder on my PC from what I see here.
Thanks in advance guys.

 

P.S. - At least around 7.500 files were also encrypted on the external backup HDD.


Edited by Praetorians, 17 August 2016 - 04:19 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:08 PM

Posted 17 August 2016 - 05:50 AM

...Can anyone suggest another identification method to be certain if it is or not Smrss32? There was no c:\encrypted folder on my ...

TorrentLocker (Crypt0L0cker), Apocalypse, Crypren, Smrss32, and KeRanger OS X Ransomware all add an .encrypted extension to the end of filenames.

Smrss32 Ransomware will leave files (ransom notes) named _HOW_TO_Decrypt.bmp which advises your files have been encrypted with "CryptoWall" Software.

Apocalypse Ransomware will leave files (ransom notes) named filename.extension.encrypted.How_To_Decrypt.txt, filename.extension.encrypted.How_To_Get_Back.txt (i.e. family.jpg.encrypted.How_To_Decrypt.txt) for each file encrypted. The ransom note asks you to contact "decryptionservice@inbox.ru" or "decryptdata@inbox.ru" and contains a personal ID.

Crypren Ransomware will leave files (ransom notes) named READ_THIS_TO_DECRYPT.html.

Crypt0L0cker (TorrentLocker) will leave files (ransom notes) with names like DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.HTML, INSTRUCCIONES_DESCIFRADO.HTML, How_To_Recover_Files.txt, How_To_Restore_Files.txt and HOW_TO_RESTORE_FILES.HTML.

KeRanger OS X Ransomware will leave files (ransom notes) named README_FOR_DECRYPT.txt.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Praetorians

Praetorians

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 17 August 2016 - 05:52 AM

Smrss32 Ransomware leaves files (ransom notes) named _HOW_TO_Decrypt.bmp which advises your files have been encrypted with "CryptoWall" Software.

Apocalypse Ransomware leaves files (ransom notes) named filename.extension.encrypted.How_To_Decrypt.txt, filename.extension.encrypted.How_To_Get_Back.txt (i.e. family.jpg.encrypted.How_To_Decrypt.txt) for each file encrypted. The ransom note asks you to contact "decryptionservice@inbox.ru" or "decryptdata@inbox.ru" and contains a personal ID.


Thank you very much quietman7. Than definitely it is not Smrss32 since also my bitmaps were encrypted.
I will have to move my problem to the appropriate apocalypse thread then.

Below is what the ransom note consistent with Apocalypse says:

THIS COMPUTER HAS BEEN LOCKED AND ALL THE FILES HAVE BEEN CRYPTED.

(images, videos, documents, backups, etc ).



Contact by Email for data recovery.



Then, we'll provide Unlock-Password and Data Decryption Software to you.



Email: fabiansomware@mail.ru



WARNING: If you don't contact in 48 hours, then all DATA will be damaged unrecoverably!!!

Edited by Praetorians, 17 August 2016 - 05:57 AM.


#11 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 PM

Posted 17 August 2016 - 08:26 AM

@Praetorians

 

See my reply in the Apocalypse topic. You definitely have the newest Apocalypse we uncovered yesterday, which ID Ransomware will pickup on by the extension, ransom note name, and email address in the ransom note. You'll need to use the ApocalypseVM decrypter for that particular variant.

 

http://www.bleepingcomputer.com/forums/t/617212/apocalypse-encrypted-ransomware-help-topic-filenamehow-to-decrypttxt/?p=4065585


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 PM

Posted 17 August 2016 - 10:10 AM

@All

 

If anyone has been hit by this ransomware and has not paid, please share an encrypted image or Office file (e.g., *.png.encrypted, *.jpg.encrypted, *.doc.encrypted, etc.). We will be able to provide a key and decrypter via PM. :)


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 R2D2015

R2D2015

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 17 August 2016 - 12:51 PM

@All

 

If anyone has been hit by this ransomware and has not paid, please share an encrypted image or Office file (e.g., *.png.encrypted, *.jpg.encrypted, *.doc.encrypted, etc.). We will be able to provide a key and decrypter via PM. :)

Did you get my .PNG.Encrypted files?



#14 Frakkle

Frakkle

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 17 August 2016 - 01:15 PM

A new ransomware has been floating around for the past few weeks, and only now have we been able to find information on it.

 

Dubbed Smrss32 based on internal project settings of the malware, this ransomware encrypts files with AES and appends the extension ".encrypted" (which is also used by several other ransomwares). The ransom note "_HOW_TO_Decrypt.bmp" is dropped in every folder that is hit, and will look like the following image, asking the victim to contact the criminals at helprecover@ghostmail.com, among other email addresses.

 

 

 

Among the large wall of text, it does try to call itself "CryptoWall Software", but it is in no way nearly as sophisticated as the real thing.

 

Based on the way this ransomware behaves, and the project file associated with it, it is assumed this variant is spread via manual RDP hacks into a system.

 

If you or someone you know has been hit by this ransomware, please post in this topic. We are looking to gather more information if possible, including whether files still exist in the directory "C:\encryptor" or another suspicious folder on the root of the drive.

 

I do not recommend paying the ransom at this time.

 

If you have been hit by this ransomware, please post an encrypted file here, and we will contact you via PM with a key and decrypter.

 

Encrypted and unencrypted version of file:

 

https://www.dropbox.com/sh/9erahtg50g2ak47/AACyL1dzQjnSSxxAyKFOTbtfa?dl=0

 

I hope you can help.

 

 

---

 

Follow-up:  Machine is fully restored now.  Thanks again so much, you guys are amazing.


Edited by Frakkle, 17 August 2016 - 08:30 PM.


#15 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:08 PM

Posted 17 August 2016 - 01:52 PM

@R2D2015

 

Thanks for the reminder, I have your files and will contact you when we have a key.

 

@Frakkle

 

I will contact you when we have a key as well.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users