Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Type of ransomware unknown

  • This topic is locked This topic is locked
3 replies to this topic

#1 Yabba Doo

Yabba Doo

  • Members
  • 24 posts
  • Gender:Female
  • Location:Sasser, GA
  • Local time:04:19 AM

Posted 18 September 2016 - 08:37 PM

After uploading the files I was asked to reference the numbers and post the information here.
Please reference this case SHA1: 6abec186640c377647e070bc5107a8d036e454fd
Please reference this case SHA1: ff9d0d6ce614bc1b86c6eecb5f4bf4379596a5b4
Please reference this case SHA1: 2f8df89d656c4e95e123ada90422161d0cf96674
I had two emails from FedEx Smartpost from two different people, one saying they were attempting to deliver an item and the other saying it could not be delivered. Each had different files attached for a shipping label I was told to print.  When I tried to print it, Avast blocked it and wouldn't open it.  Shortly after that, I had the following notepad message pop up on my computer screen:
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.54104 BTC (bitcoins).
Please follow this manual:
1. Create Bitcoin wallet here:
2. Buy 0.54104 BTC with cash, using search here:
3. Send 0.54104 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
      - Nobody can help you except us.
      - It`s useless to reinstall Windows, update antivirus software, etc.
      - Your files can be decrypted only after you make payment.
      - You can find this manual on your desktop (DECRYPT.txt).
The message was not exactly like the others I saw on here.  When I uploaded them to see what kind of ransomware it is, it could not be identified.  Is there any hope for getting around it?  I know very little about computers, just enough to make a mess of things.  My backups have not been executing properly.  I just bought a new external hard drive to copy everything over to but ... of course, this happened first.  I do have other external hard drives attached to my PC that my files are stored on.  I also use Carbonite for backing up my files.  Will they be affected by the ransomware too?
Thank you for any help you can offer.

Edited by Al1000, 19 September 2016 - 02:24 AM.
deactivated links

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:03:19 AM

Posted 18 September 2016 - 08:48 PM

You were hit by Nemucod, you can find instructions on decryption here: http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/


The reason ID Ransomware failed to identify your cases were because you did not upload an original ransom note or an encrypted file as it asks. It would have picked up on the original filename of the ransom note, and/or the ".crypted" extension of the files. I see you uploaded the zip file that probably came from the attachment in your email with the malware - ID Ransomware does not identify the malware itself, that is a job for something like VirusTotal (and is far more advanced that a website can do alone). You also changed the filename of your ransom note, so it did not pickup on that (the original is "DECRYPT.txt" as shown in the note text, you uploaded "Attention.txt").

Edited by Demonslay335, 18 September 2016 - 08:53 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 Yabba Doo

Yabba Doo
  • Topic Starter

  • Members
  • 24 posts
  • Gender:Female
  • Location:Sasser, GA
  • Local time:04:19 AM

Posted 18 September 2016 - 09:41 PM

Thank you for your quick response and help.  I'm sorry, I thought I was uploading what was asked for.  I appreciate your explanation.  I'll follow the instructions for decryption.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,937 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:19 AM

Posted 19 September 2016 - 06:18 AM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in this support topic discussion.To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users