Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

n1n1n1 Ransomware Help & Support Topic


  • Please log in to reply
32 replies to this topic

#1 esoares

esoares

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 16 September 2016 - 05:26 AM

Good morning,
 
Yesterday my computer where infected by n1n1n1 Ransomware (identified by ID Ransomware). Coul someone help to decrypt the files. I any kind of solution? I'm desperated.... If someone can help please respond. Below is the ransom note.
 
Thanks in advance.
 
Dont speak english?
Ingilizce konusamiyor musun? Daha sonra https://translate.google.com.
Ino hablan a Ingles? Luego usar el sitio https://translate.google.com.


Your data have been encrypted.
To decrypt your files follow the instructions:
 1.  Run your browser, open https://www.torproject.org , you can see button "Download", click it .
     find tor browser for windows, download it
 2.  Install tor browser. If you can't download or run it then download and unpack the most stable tor browser version:
         http://www23.zippyshare.com/v/jW48oSqv/file.html

 3.  You need type in tor browser www.uc7k2wj6526xlivj.onion/start.php
 4.  You will be redirected to hidden website.
 5.  Follow the instructions on website.
Probably you need to disable or remove your antivirus to make steps 1,2,3,4,5.


Your public key

24CkIzsiitMlvJsF49WShEBIM1N64SF4SBlHqPDrqPTTfXpEZb
xRdM93aRRbxqXK1wE2HYqY3CXQtjBqFEdklePshuAIkRx4DYW9
XiRHA6rgrlxX4zZITFwxFpQ2xZPzq5Bk2MYkfnmn8EsFb1gmX5
wL57yQ1sjLNBcgsYc7x6Umt

If you still can't open our secret hidden website or you have any questions then
 Open https://mail.google.com using your usual browser.
 If you don't own personal gmail account then you need sign up. You will get email ....@gmail.com
 Create e-mail message and send it to our email:  yellowfix@sigaint.org
Copy your public key into the letter (see this key above). Soon I will answer you about decrypting of your files.

Remark:
You can use other mail inbox (not ....@gmail.com),  but I don't recommend you do it
because I am not sure that I will receive your letter.


I am not expel that antivirus software can delete these files with directions in 2,3 days.
If you have any antivirus software and you need your files then
take a photograph on telephone camera these directions.

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 AM

Posted 16 September 2016 - 08:16 AM

We still need a sample of the malware for analysis. If you can find the virus that caused the infection, or any suspicious files, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

I don't need any ransom notes or encrypted files for this one, got plenty of those right now.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 billy_brown

billy_brown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 17 September 2016 - 01:43 AM

Hi Guys,

 

I have the same problem too, my photos, videos, note, and other important files are encrypted.

 

It's in the .cerber3 format.

 

I uploaded one example of the encrypted file referring to Demonslay link.

 

Looking forward for the help.

 

Thank you



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 AM

Posted 17 September 2016 - 04:49 AM

...I have the same problem too, my photos, videos, note, and other important files are encrypted.
 
It's in the .cerber3 format...

Assistance with Cerber infections is provided in the below topic. Other victims have been directed there to share information, experiences and suggestions.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 esoares

esoares
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 19 September 2016 - 06:15 PM

Good evening. I've paid and my files are already all decrypted and working.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 AM

Posted 19 September 2016 - 06:24 PM

Good evening. I've paid and my files are already all decrypted and working.


Glad to hear you got files back, even if you had to pay the criminals.

Would you be willing to share their decrypter for analysis? You can zip up anything they gave you, plus a few encrypted files, here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

If you have the virus itself that caused this, please also submit that. If you know anything about how you got it (email attachment, download from website, torrent, etc.), that may be helpful.


Edited by Demonslay335, 19 September 2016 - 07:41 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Daemonium

Daemonium

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 07:03 PM

Greetings, all!

So I came in to work today and noticed a few new files on my desktop: "files decipher.html," and "files decipher.txt." Odd. I then proceeded to open an Excel spreadsheet (all of which are now named "filenameRANDOMSTRING.extension") to no avail!

Naturally, this has caused me a decent amount of grief. I followed the instructions per what the attacker left on my desktop, but replaced the last part of the webpage with "decrypter.exe" at the end of the webpage which allowed me to download the decryptor.

My AV has yet to notice any actual viruses. I can upload both the ransom notes and decryptor if it helps.

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 AM

Posted 28 November 2016 - 07:07 PM

We are still hunting for a sample of the malware itself. We have their decrypter already, but it of course requires a unique key per victim.

 

Does your system have RDP open to the world? We do not know what the vector of attack is still. Nothing further can be done to help without the malware itself to analyze.

 

You can find more information in the support topic.

 

http://www.bleepingcomputer.com/forums/t/626987/n1n1n1-ransomware-help/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Daemonium

Daemonium

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 07:12 PM

Sorry; I'm more computer-literate than my coworkers but you'll likely have to run me through how to check that.

#10 Daemonium

Daemonium

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 07:21 PM

I think it may have been an email attachment in .pdf format that my boss may have clicked. May I submit it here? I still have it in my other device's trash.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 AM

Posted 28 November 2016 - 07:23 PM

@Daemonium

Since we don't have much on this infection and to avoid confusion, I have merged your topic with the existing one.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 AM

Posted 28 November 2016 - 07:25 PM

You may submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Daemonium

Daemonium

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 07:35 PM

Submitted a suspicious .zip. Will also provide you with the .pdf asap.

 

EDIT: .pdf has been sent as well. Hope this helps as these people are asking for ~$1k which is absolutely ridiculous.

 

EDIT 2: I can use our other computers to access this site, but it appears that it has been blocked when using the infected computer. Not sure how this is done or how to go about fixing it - just figured I would let you know.


Edited by Daemonium, 28 November 2016 - 08:09 PM.


#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 AM

Posted 28 November 2016 - 08:50 PM

Thanks, we're taking a look. The .zip file definitely has a malicious payload, seems to be a Nemucod dropper, but I'm still trying to analyze the payload. Will post back when we get any viable info; can't promise a solution of course.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 chrisblessing

chrisblessing

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 04 December 2016 - 08:19 PM

We had a Windows Server 2006 r2 hit by n1n1n1. All accounts above match our circumstances. Our MySQL database was untouched but all files for a web-facing application were encrypted. An ESSET scan and clean and full application restore and data re-import fixed everything. It's likely an open RDP port was the vector.

 

Don't forget: backup and backup again, and lock the doors when you leave.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users