Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help identifying ransomware variant


  • Please log in to reply
19 replies to this topic

#1 BradTheGeek

BradTheGeek

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 22 August 2016 - 09:49 AM

Just ran across an infection where I am not familiar with the ransomware variant.  It is in a 30+node business environment and encrypted shared files.  There are good backups, but there may be a few new files or versions of files that are not in the recent backup set and I want to see if there is a decryptor for this particular variant.

 

The virus drops one file in the affected folders named "How to restore files.hta"  This HTA does not have anything identifying other than the text used.  The contents of the HTA are below (with identifying info redacted).

 

Any help is very much appreciated.  I googled some of the phrases in the text, but they are fairly generic and I did not make much headway identifying it that way.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta charset="windows-1251">

    <HTA:APPLICATION
      ICON="msiexec.exe"
      SINGLEINSTANCE="yes">

    <script language="JScript">
      window.moveTo(50, 50);
      window.resizeTo(screen.width - 100, screen.height - 100);
    </script>

    <style type="text/css">

      body {
        font: 15px Tahoma, sans-serif;
        margin: 10px;
        line-height: 25px;
        background: #EDEDED;
      }

      .bold {
        font-weight: bold;
      }

      .mark {
        background: #D0D0E8;
        padding: 2px 5px;
      }

      .header {
        font-size: 30px;
        height: 50px;
        line-height: 50px;
        font-weight: bold;
        border-bottom: 10px solid #D0D0E8;
      }

      .info {
        background: #D0D0E8;
        border-left: 10px solid #00008B;
      }
      .alert {
        background: #FFE4E4;
        border-left: 10px solid #FF0000;
      }
      .private {
        border: 1px dashed #000;
        background: #FFFFEF;
      }

      .note {
        height: auto;
        padding-bottom: 1px;
        margin: 15px 0;
      }
      .note .title {
        font-weight: bold;
        text-indent: 10px;
        height: 30px;
        line-height: 30px;
        padding-top: 10px;
      }
      .note .mark {
        background: #A2A2B5;
      }
      .note ul {
        margin-top: 0;
      }
      .note pre {
        margin-left: 15px;
        line-height: 13px;
        font-size: 13px;
      }

    </style>
  </head>

  <body>
    <div class="header">ALL YOUR FILES ARE ENCRYPTED!</div>

    <div class="note private">
      <div class="title">Your personal identifier is </div>
      <pre>REDACTED</pre><!-- !!! do not change the line !!! -->
    </div>

    <div class="bold">All your documents, photos, databases, game's save and other important data has been encrypted.</div>

    <div class="bold">To get your unique key and decode your files, you need send 0.5 bitcoin on adress 1Eyt3q4JNwerSBSqXm2qVf8D3qDRE996D1 </div>

    <div>and write us at email <span class="mark">REDACTED@163.com</span> your personal identifier and screenshot of the payment or Transaction ID.</div>

    
    <div>After that I send you the decryptor and the instruction how you can decrypt your files.</div>

    <div class="note alert">
      <div class="title">Attention!</div>
      <ul>
        <li>Do not attempt to remove the program or run the anti-virus tools!</li>
        <li>Attempts to self-decrypting files will result in the loss of your data!</li>
      </ul>
    </div>
  </body>
</html>


BC AdBot (Login to Remove)

 


#2 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 22 August 2016 - 09:54 AM

You can use the ID Ransomware to identify the type of encoder.

 

https://id-ransomware.malwarehunterteam.com/index.php



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 AM

Posted 22 August 2016 - 10:04 AM

Do your files have the extension ".purge", or a different extension? I have seen a submission with a similar ransom note before, but we are trying to find a sample of the malware to analyze.

 

If you can find any signs of the malware (through scans, or an email attachment, or download), please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 BradTheGeek

BradTheGeek
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 22 August 2016 - 10:17 AM

Thanks.  I did not know of that site.  It cannot identify from the ransom note.  There is a tech on site, and he got the windows servers to restore previous versions before I could think to grab an encrypted sample.

 

We are not sure which node started the infection, but we suspect one at another site.  It is currently offline and a tech is en route, so if it has any samples I will be sure to grab them if it comes back our shop for examination and cleanup.  The customer may opt for an on site wipe and reimage, which will shorten the time we can look for nasties on it.  I am seeing if we can get an image of it first if it stays on site.

 

I did examine the suspected user's email and there are no unusual attachments to be found except a tiff.  The rest are PDFs from their scanner and voicemails from the phone system.  All very normal.

 

If I find new stuff I will submit samples (and add it to my own little zoo).



#5 BradTheGeek

BradTheGeek
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 22 August 2016 - 10:19 AM

Oh.. and they did not have purge extensions,  extensions were changed to an (apparently) random string that was the same for all files.  Something like .JDSSJKJJSH


Edited by BradTheGeek, 22 August 2016 - 10:20 AM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 AM

Posted 22 August 2016 - 10:21 AM

Do you have the email address that was in the ransom note? I can add it to my hunting rule.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 BradTheGeek

BradTheGeek
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 22 August 2016 - 10:25 AM

lv002402840mt@163.com



#8 BradTheGeek

BradTheGeek
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 22 August 2016 - 10:38 AM

Found a whole bunch more affected files.  Either we missed them or it is still ripping through stuff.  I will have a sample of an encrypted file soon.  The extension used for all files is .sdfgklhjsdf

 

Also, id-ransomware could not ID from sample.


Edited by BradTheGeek, 22 August 2016 - 10:40 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 AM

Posted 22 August 2016 - 04:36 PM

You can also submit samples of encrypted files, ransom notes, email or/and website address you see in the RANSOM DEMAND to No More Ransom Crypto Sheriff for assistance with identification. If you are provided any information it would be helpful to post it here for Demonslay335 to review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 BradTheGeek

BradTheGeek
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 24 August 2016 - 09:06 AM

I had a little time to dig through the system image today.  I found the dropper.  Demonslay335, do you want a sample?  Virus total reports it as malicious with 10 scanners marking it as a trojan.  The client was running a modified version of Bitdefender (it hooks into our MSP panel for management and reporting), as am I.  Neither normal bitdefender or our modified version know this one yet.  I am submitting a sample to our vendor, but if you want something to play with I can provide.



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 AM

Posted 24 August 2016 - 09:08 AM

Yes please. We have a sample of the ".purge" variant (as you can see an article was posted today), but we haven't seen one with random extension yet.

 

Can you please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 BradTheGeek

BradTheGeek
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 24 August 2016 - 09:27 AM

The sample has been submitted.  If you need anything else, you will have my email there or this thread which I will try to keep an eye on.



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 AM

Posted 24 August 2016 - 09:53 AM

Thanks, taking a look now. It is definitely a Globe variant from static analysis, interested to know if it generates a random extension each time, or if its a static extension. We're starting to think this is a kit.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 arlorn87

arlorn87

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 24 August 2016 - 10:38 AM

I have another computer that was hit with this on 8/24/16 at 5:45a EST. Same symptoms with the extensions of .sdfgklhjsdf and "How to restore files" created in each folder. Also the email to send to matches up with lv002402840mt@163.com.  If you need any more samples or information let me know.



#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 AM

Posted 24 August 2016 - 10:54 AM

I have another computer that was hit with this on 8/24/16 at 5:45a EST. Same symptoms with the extensions of .sdfgklhjsdf and "How to restore files" created in each folder. Also the email to send to matches up with lv002402840mt@163.com.  If you need any more samples or information let me know.

 

Thanks for the confirmation. I verified on two different VMs that it uses that same extension, so it is easier to identify than if it was random.

 

You can always try recovery software such as Recuva or PhotoRec, sometimes you might get lucky. If a server had shares hit, you can use ShadowExplorer on that machine, but the local system that was actually infected most likely won't have any shadow copies left.


Edited by Demonslay335, 24 August 2016 - 11:35 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users