Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nullbyte (DetoxCrypto) Ransomware Help & Support (_nullbyte extension)


  • Please log in to reply
9 replies to this topic

#1 omarjo

omarjo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 31 August 2016 - 02:46 AM

Hi everyone,
yesterday i ran an app and after that all my personal files were encrypted and cant find any solution or similar encryptions all over the internet.
any idea what to do?the id website couldnt identify the encryption

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:36 PM

Posted 31 August 2016 - 04:54 AM

More information is needed to determine what infection you are dealing with since there are many variants of crypto malware ransomware. RSA-4096 is an encryption algorithm and not an explicit way of identifying a particular ransomware infection.

What is the actual name of the ransom note?
Are there any obvious file extensions appended to or with your data files?

Did you find any ransom notes? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data was encrypted.

I'm not sure what id website you used.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

You can also submit samples of encrypted files, ransom notes, email or/and website address you see in the RANSOM DEMAND to No More Ransom Crypto Sheriff for assistance with identification and possible decrypting solutions. If you are provided any information it would be helpful to post it here for Demonslay335 to review.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:36 AM

Posted 31 August 2016 - 06:26 AM

I saw the submissions to ID Ransomware last night and set out a hunt based on it.

 

The files had "_nullbyte" appended as an extension, e.g. "picture.jpg_nullbyte". They were also submitted with what looks like a decrypter from the criminals - this is very useful for writing a decrypter if we are able to find a weakness in the malware, but we will need the malware itself to assess.

 

If you have the malware that caused this, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

If you have a ransom note too, I'd like to see that as well.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 VinceDDD

VinceDDD

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 31 August 2016 - 06:57 AM

Apparently there really seems to be a new variation of cerber, called #cerber3. It is not clear, however, if this version of the ransowmare is a new impersonating virus or is actually Cerber ransomware. Some researchers are positive that it is the same Cerber, only using a new file extension and several "fixes".



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:36 PM

Posted 31 August 2016 - 07:04 AM

Apparently there really seems to be a new variation of cerber, called #cerber3. It is not clear, however, if this version of the ransowmare is a new impersonating virus or is actually Cerber ransomware. Some researchers are positive that it is the same Cerber, only using a new file extension and several "fixes".

This has nothing to do with Cerber.
 
The malware sample has been found and hopefully we will be able to look into it, to figure out whether it's secure or not.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:36 AM

Posted 31 August 2016 - 09:33 PM

Good news, this ransomware is decryptable. :)

 

Je2bMhd.png

 

 

This decrypter requires the full path to the user profile that was infected, so please make sure it is correct. If decrypting files from another computer, you will need to provide the original path to the profile via Settings -> Set Profile Path (e.g. "C:\Users\yourusername").

 

https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip

 

 

For informational purposes, this ransomware uses AES to encrypt files, and appends "_nullbyte" to the filename of encrypted files. The following screen is displayed to the victim.

 

CrKQ9fpWAAAowIG.jpg

 

 

This ransomware is currently known to be spread via a repacking of the PokemonGo cheating program Necrobot, calling itself "Necrobot.Rebuilt". This program asks for credentials to an account to cheat with; it will actually take your credentials and upload them to an FTP server, then generously start encrypting your files.


Edited by Demonslay335, 31 August 2016 - 09:49 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:36 PM

Posted 01 September 2016 - 09:21 AM

Symantec says that it CryptXXX.

 

11153067.png

https://www.virustotal.com/ru/file/f70abab659c6490b21164d91c0e262b11448c7bbf728a425b00fe832a95fc8f9/analysis/


Edited by Amigo-A, 01 September 2016 - 09:53 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:36 PM

Posted 04 September 2016 - 10:40 AM

Symantec says that it CryptXXX.
 
11153067.png
https://www.virustotal.com/ru/file/f70abab659c6490b21164d91c0e262b11448c7bbf728a425b00fe832a95fc8f9/analysis/

Going off names is generally a bad idea unless multiple antiviruses all agree on one. This is definitely not CryptXXX, however.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:36 PM

Posted 04 September 2016 - 04:17 PM

Yes, especially since each security vendor uses their own naming conventions to identify various types of malware. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is. Since there is no universal naming standards, all this leads to confusion by the end user.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:36 AM

Posted 05 September 2016 - 12:33 PM

Ya, it's quite annoying. CryptXXX and Genasom are most definitely not written in .NET.  :P


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users