Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unblockupc Ransomware Help & Support Topic - Files encrypted.txt


  • Please log in to reply
140 replies to this topic

#1 JayPol

JayPol

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 01:26 PM

Hello.

 

Today i found that my PC was infected with ransomware.

I have a Comodo Internet Security running but it hasn`t detected anything.

I did a scan with malwarebytes as well -  no threats.

 

All my files: office, pictures, videos are unplayable and in each folder I got a txt file "Files encrypted":

 

You used to download illegal
files from the internet.
Now all of your private files
has been locked and encrypted!

To unblock them visit one
of these websites:
http://unblockupc.xyz
http://unblockupc.in
http://moscovravir.ru
http://213.167.243.215
http://185.45.192.17
http://unblockupc.club

 Your UID: xxxxxxxxxxxxx

 

I did upload both infected file and a note to

https://id-ransomware.malwarehunterteam.com/identify.php

 

with no luck identyfying

 

I just got an:

SHA1: 96d85a8a3620d4af2ea44dd6a87b58f4e4b17797

 

Any ideas?

 

Based on website I am directed to from note I have until 1 October to pay.

 

BR



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,172 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:06 PM

Posted 23 September 2016 - 01:28 PM

You download anything new before this appeared?

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 23 September 2016 - 01:30 PM

This looks new. I see it embedded the ransom note in the header of the encrypted file with "ENC" at the beginning.

 

I can set out a hunt, but we'll really need a sample of the malware itself to analyze. See if you can find where it came from, such as an email attachment or something you downloaded recently.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 JayPol

JayPol
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 01:42 PM

Actually I haven`t used desktop for two days except checking email/news. Today morning everything was fine. After work (about 3 hours ago) it started its destruction (I can see the datestamp on photos/documents) and so far I found file:dectryptor.exe that showed up with same datestamp as first encrypted files (unfortunately norton NPE removed it as I did a scan in SafeMode - I am trying to recover it)

Also I found in msconfig "einfo" process starting from my documents that disappeared after disabling manually from running.



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 23 September 2016 - 01:50 PM

If you are able to find any suspicious files, you may submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

If Norton has any type of a log, you can share that, hopefully it has a hash or something we can hunt by.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 JayPol

JayPol
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 02:02 PM

Thank you for such a quick response.

I managed to restore the "Decryptor.exe" file and submitted it by the link above (mentioning this thread)

I also submitted the Norton log.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 23 September 2016 - 02:06 PM

Thanks, we'll be analyzing this soon and will see what we can figure out on it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 JayPol

JayPol
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 02:09 PM

Thanks.

 

On a side note I just did a test and created a small docx and a video file to see if the problem will repeat itself on new files - they are ok.



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,183 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:06 PM

Posted 23 September 2016 - 02:22 PM

The submitted file is definitely the decrypter. I can tell it uses AES-128, and uses a 16-character password, but we'll need the malware itself to analyze for any possibly exploitable weaknesses. See if you can try tracing your steps, I'm assuming it must be a download from a website. It seems too unsophisticated to be spread via exploit kit, so it must be something you recently downloaded and ran, or received from an email.


Edited by Demonslay335, 23 September 2016 - 02:22 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 JayPol

JayPol
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 02:42 PM

I did check event log for MsiInstaller events from the last 7 days and except for today`s scanning I can see a "cnwinstall.msi"  from: https://www.cnwrecovery.com/ which was later unistalled

 

My wife tried to fix some video file - she also says she tried some other software - I will try to scout around event viewer and browser history to see what it was.



#11 morefire15

morefire15

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 02:49 PM

You got the same problem as me. Thanks guys. Can I help you with something?



#12 JayPol

JayPol
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 02:52 PM

@morefire15

Have you tried/installed recently any data recovery or video recovery/fix software?



#13 morefire15

morefire15

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 03:08 PM

@morefire15

Have you tried/installed recently any data recovery or video recovery/fix software?

Nope. I visit every night porn and hentai sites tho.

 

Malwarebytes have just found a virus right now.

PUP.Optional.DriverAgentPlus, HKU\S-1-5-21-1791462409-1958037230-2026906046-1000\SOFTWARE\ESUPPORT.COM\DriverAgent, , [3d574431485246f083c40df29a69c43c],

This was the KEY entry.



#14 JayPol

JayPol
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 03:23 PM

I found several software downloaded/installed/removed two days ago:

plus I can see a xmlUpdater.exe in temp files as the last file from two days ago



#15 JayPol

JayPol
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2016 - 04:10 PM

Update #1

My wife`s laptop just got infected as well - she didn`t install anything recently - we are on the same homegroup though.

 

Update#2

I found a file with list of encrypted files called: encfiles  located in C:ProgramData Folder






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users