Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DXXD Ransomware (dxxd) Help & Support - ReadMe.TxT


  • Please log in to reply
99 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 26 September 2016 - 08:22 PM

The DXXD ransomware encrypts a victim's files and adds "dxxd" to the filename without a dot; e.g. "picture.jpg" => "picture.jpgdxxd". The victim is left with a ransom note called "ReadMe.TxT", with the following contents:

/**********************************************************/
			Dear owner, bad news!!!!

	Your SERVER [hacked], and file's [ENCRYPTED]!
	If you need back files and recommendation's,
	to protect your file's  and server, write to e-mail:
	[1]  shellexec@protonmail.com
	[2]  null_ptr@tutanota.de

	If don't answer on e-mail? Write to [jabber]:
	{
		what's jabber?
		GUIDE			 :  http://www.howtogeek.com/howto/38942/the-beginners-guide-to-pidgin-the-universal-messaging-client/
		Programm         :  https://pidgin.im/download/
		Register account :  https://www.xmpp.jp or https://rows.io/  or your custom.
		Add me           :  [one_weak@rows.io]

	}

	And so, write me.
	Sorry.
/**********************************************************/ 

It is unknown the vector of infection, but one victim I have been in contact with had a message added to the login screen of their Windows Server.
 
tEmbbEu%5B1%5D.jpg
 
 
If you have been infected by this ransomware, please post here and we will contact you privately to assist with decrypting your files for free.


Edited by Demonslay335, 11 October 2016 - 10:03 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#2 Mae46

Mae46

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 27 September 2016 - 03:13 AM

How to contact you? My pc has been attacked by this ransomware is it possible to recovee my files?

#3 Jake8956

Jake8956

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 27 September 2016 - 04:20 AM

Please help me!! My server encrypt this ransomware!! i need help, please.



#4 itberkley

itberkley

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 27 September 2016 - 06:37 AM

Hi. Recently infected with this virus. Here is the message:

 

/**********************************************************/
   Dear owner, bad news!!!!

 Your SERVER [hacked], and file's [ENCRYPTED]!
 If you need back files and recommendation's,
 to protect your file's  and server, write to e-mail:
 [1]  shellexec@protonmail.com
 [2]  null_ptr@tutanota.de

 If don't answer on e-mail? Write to [jabber]:
 {
  what's jabber?
  GUIDE    :  http://www.howtogeek.com/howto/38942/the-beginners-guide-to-pidgin-the-universal-messaging-client/
  Programm         :  https://pidgin.im/download/
  Register account :  https://www.xmpp.jp or https://rows.io/  or your custom.
  Add me           :  [one_weak@rows.io]

 }

 And so, write me.
 Sorry.
/**********************************************************/

 

I can upload a few of the encrypted files.


Edited by itberkley, 27 September 2016 - 06:38 AM.


#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 27 September 2016 - 12:32 PM

How to contact you? My pc has been attacked by this ransomware is it possible to recovee my files?

 

Please check your PM.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 27 September 2016 - 04:28 PM

I'm releasing my decrypter for this ransomware.

 

For most cases, the default loaded key should work. If it doesn't, a key can be generated using the Settings -> Set Key, and selecting any encrypted file and its clean (unencrypted) version.

 

CtY-ls3XgAA_ku1.jpg

 

https://download.bleepingcomputer.com/demonslay335/DXXDDecrypter.zip

 

*Please note this public decrypter only works for the first variant of DXXD. For the second variant of DXXD2, please see the following post for a free decrypter: https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/?p=4106231


Edited by Demonslay335, 14 February 2017 - 03:40 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:25 AM

Posted 30 September 2016 - 08:20 AM

 
Demonslay335
Thank! 

Digest of Crypto-Ransomware's (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology


#8 rhvjr

rhvjr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 September 2016 - 12:35 PM

Demonslay335, I have attempted to use the decrypt tool today.   Default settings produce a "successful" decryption, but the resultant file won't open and appears to be still encrypted.  I tried the alternate method of comparing encrypted vs. non-encrypted file and got an error that the two files don't match.  I obtained the non-encrypted version from the user's email attachment and compared to the encrypted version found on the server.  I also tried obtaining original versions of other system files that were encrypted, by copying good files from other servers, but that did not work either....same error....."files do not match".   I believe we were attacked by brute force RDP.    Two new programs were installed on the server at the time encryption occurred.   7zip and SoftPerfect RamDisk.


Edited by rhvjr, 30 September 2016 - 02:07 PM.


#9 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 30 September 2016 - 02:21 PM

Demonslay335, I have attempted to use the decrypt tool today.   Default settings produce a "successful" decryption, but the resultant file won't open and appears to be still encrypted.  I tried the alternate method of comparing encrypted vs. non-encrypted file and got an error that the two files don't match.  I obtained the non-encrypted version from the user's email attachment and compared to the encrypted version found on the server.  I also tried obtaining original versions of other system files that were encrypted, by copying good files from other servers, but that did not work either....same error....."files do not match".   I believe we were attacked by brute force RDP.    Two new programs were installed on the server at the time encryption occurred.   7zip and SoftPerfect RamDisk.

 

Can you share a few encrypted files, including the encrypted/clean pairs you were trying?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 rhvjr

rhvjr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 September 2016 - 02:53 PM

https://1drv.ms/u/s!AnIDK5bhUWvhgm63EhU1v3Qj8IRk

https://1drv.ms/u/s!AnIDK5bhUWvhgnCKfAl0PrE4FYZA

https://1drv.ms/b/s!AnIDK5bhUWvhgm8yiqmYOrB6vKMk

https://1drv.ms/u/s!AnIDK5bhUWvhgnHIwV5O7P3f-9r9



#11 rhvjr

rhvjr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 September 2016 - 03:04 PM

Thanks for your efforts.  I must go offline for a bit...i'll check back later this evening.



#12 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 30 September 2016 - 03:11 PM

@rhvjr

 

Download the latest v1.0.0.3, and uncheck "Remove Appended Bytes" under Settings. I'll release a patch to the bruteforcer soon, but it got the same key anyways.

 

https://download.bleepingcomputer.com/demonslay335/DXXDDecrypter.zip


Edited by Demonslay335, 30 September 2016 - 03:11 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 rhvjr

rhvjr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 September 2016 - 03:38 PM

I am not able to get that to work...   I get the same result, the result is either the files don't match when attempting to get a code, or the decrypted file won't open.   tested with PDF.    The decryption process says it was successful, but the file won't open....  the adobe error says the file is corrupted.



#14 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 30 September 2016 - 04:03 PM

I am not able to get that to work...   I get the same result, the result is either the files don't match when attempting to get a code, or the decrypted file won't open.   tested with PDF.    The decryption process says it was successful, but the file won't open....  the adobe error says the file is corrupted.

 

Can you share an encrypted/clean pair of files over 1.05MB?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 rhvjr

rhvjr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 September 2016 - 08:38 PM

https://infostreaminc-my.sharepoint.com/personal/henry_infostream_cc/_layouts/15/guestaccess.aspx?guestaccesstoken=zJ%2bcLlNUkHAXz2D%2bfhHI4nWqur8s%2fnq9dIxUJO9%2f9EM%3d&docid=18c155117083f4d6d91d5ce55ea2fbb50&rev=1

 

https://infostreaminc-my.sharepoint.com/personal/henry_infostream_cc/_layouts/15/guestaccess.aspx?guestaccesstoken=STtDntDFvR4OFjycLShlT1oBDSbXcYqK978ZsH3PoRc%3d&docid=16d1872f88e5244d1bd12cba059515f77&rev=1

 

Thanks again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users