Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Domino Ransomware (.domino) Help & Support (README_TO_RECURE_YOUR_FILES.txt)


  • Please log in to reply
6 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:20 PM

Posted 26 August 2016 - 08:36 AM

Yet another HiddenTear variant has been dug up, thanks to help from Daniel Gallagher.

 

The Domino Ransomware comes packaged as an installer for the (potentially illegal) Windows key cracking software KMSpico.

 

FxXU9GN.png

 

While the installer supposedly runs, the malware is actually encrypting all of the user's files with AES in the background. Encrypted files will have the extension ".domino" appended. The ransom note "README_TO_RECURE_YOUR_FILES.txt" is left behind with the following contents, asking the victim to contact the criminals at 61f1e8055af3f6a672959e6b0493a2@gmail.com.

 

 

 

Your data had been encrypt!
Send me 1 bitcoins to: 1AkHpPZ18f3QAygdMV2W4R4QjkzYxDkNEA
After send me your (bitcoin address + computer name + username) to 61f1e8055af3f6a672959e6b0493a2@gmail.com to get password!
If you didn't do this, your password to decrypt your file will be destroy after 72 hours. Winter Is Coming!

 

The ransom note is also shown in a separate box with an interesting ASCII art of a cow.

 

CqoRxMaWIAQXUR6.jpg

 

 

Since this ransomware is based on HiddenTear, victims may be able to recover their key using my HiddenTear BruteForcer, which requires a small enrypted PNG file (e.g. picture.png.domino).

 

http://www.bleepingcomputer.com/download/hidden-tear-bruteforcer/

 

Once a key is successfully recovered, files may be decrypted using the HiddenTear Decrypter.

 

http://www.bleepingcomputer.com/download/hidden-tear-decrypter/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:20 AM

Posted 26 August 2016 - 01:07 PM

There are two ransom notes — README_TO_RECURE_YOUR_FILES.txt and HelloWorld! ???


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:20 PM

Posted 26 August 2016 - 01:08 PM

Yes. The HelloWorld is a separate executable ran after the encryption.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:20 AM

Posted 26 August 2016 - 01:26 PM

The content of these files are identical?

Message about AES-1024 is confirmed?


Edited by Amigo-A, 26 August 2016 - 01:29 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#5 BennyZ

BennyZ

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 14 November 2017 - 04:02 PM

My PC was infected by Domino Ransomware.

Probably because the malware was detected and destroyed before the encryption was finished, I didn’t see the ransom note “README_TO_RECURE_YOUR_FILES.txt“ or “HelloWord.exe” ransom message, but the infected files found in the TEMP were “help.exe “, “HelloWorld.exe”and “31688EFBC3B9C99914A5BB7FB58AEC9E.exe”, which are the malware files typical for the domino ransomware.

The virus was killed and erased without problems, but most of the files like JPG, PDF, DOC, … on all my drives (also on the back-up drives GoogleDrive, Dropbox,… because they was also connected) are encrypted and the files have now extension .domino

Because the Domino Ransomware should be some variant of Hidden Tear ransomware, I tried to recover the key from small encrypted PNG file with the Hidden Tear Brute Forcer created by Michael Gillespie, but after 8 days of brute forcing without success yet (speed about 35 attempts/sec with 25%CPU usage).

 

Based on the above mentioned, I have some questions:

  • Is there any real chance to found the encryption key with such decryption speed? (the key should have 15 characters, if I’m not wrong)
  • Is it possible somehow speed up the brute forcing? (only to use more powerful CPU?)
  • If the Hidden Tear BruteForcer is restarted/closed (e.g. after PC shut down), start after it always with the same brute force algorithm from the beginning again, or are the already tried attempts somewhere stored and the program continue where last time stoped? Bring something to start two Hidden Tear BruteForcer together? 
  • Are there any new knowledge regarding the Domino Ransomware? If yes, will be some update of the Hidden Tear Brute Forcer?
  • Is anybody who has successfully decrypted the .domino file at all?

 

I tried parallel free Avast Ransomware decryption tool for HiddenTear, but Avast HiddenTear Deryptor evidently doesn't know the .domino extension.

Thank you for any help or hints in advance!



#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:20 PM

Posted 14 November 2017 - 05:06 PM

@BennyZ

 

I actually have more efficient tools privately for dealing with HiddenTear variants. Can you share a few encrypted files and their originals? Also, has the computer in question been rebooted since the infection? If it hasn't, it greatly reduces the possible keys.

 

If you have the malware executables as well, that would be helpful, so that I can make sure there are no changes since this is a much older ransomware we haven't seen much of.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 BennyZ

BennyZ

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 15 November 2017 - 04:18 PM

@Demonstay335

 

Thank you very much !!!

 

The share link to a few encrypted files and their originals was send to you via PM  (JPG, PNG, PDF, TXT).

 

To your questions:

The computer was unfortunately one time rebooted, it is 10 days since the infection and I tried many rescue actions  ... what a shame.

Regarding malware executables, I was shocked after the infection, so I permanently erased infected malware files and all what was suspicious (manually and also with CCleaner). Now I know that was a big mistake. I tried to recover the infected malware files, but without success, the free software which I used (Recuva and Photorec) didn't find them.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users