Posted 27 September 2016 - 10:43 PM
Posted 28 September 2016 - 12:42 AM
try here to determine the encrypted file and the note for redemption
https://id-ransomware.malwarehunterteam.com/identify.php
Posted 28 September 2016 - 12:50 AM
try here to determine the encrypted file and the note for redemption
I tried that one, which is how I generated those case numbers. Unfortunately it did not pick which version it was.
Posted 28 September 2016 - 06:07 AM
Posted 28 September 2016 - 08:17 AM
No results for files '!_HOW_TO_RESTORE_1igw.html' and 'PilotARN.xlsx.1igw'
I've seen ransom notes for that before, but haven't fully identified it yet. The extension part is random by the way, so you won't find results on it.
Based on the ransom note contents and how it handles "knowing" your extension, it seems like it is an evolution of AlmaLocker. I only now opened up the Tor page for the first time, and it literally calls itself "Princess Locker".
https://twitter.com/demonslay335/status/781122627054206976
We will need a sample of the malware to analyze. If you find any malicious or suspicious files, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168
Edited by Demonslay335, 28 September 2016 - 08:29 AM.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 28 September 2016 - 08:36 PM
No results for files '!_HOW_TO_RESTORE_1igw.html' and 'PilotARN.xlsx.1igw'
I've seen ransom notes for that before, but haven't fully identified it yet. The extension part is random by the way, so you won't find results on it.
Based on the ransom note contents and how it handles "knowing" your extension, it seems like it is an evolution of AlmaLocker. I only now opened up the Tor page for the first time, and it literally calls itself "Princess Locker".
https://twitter.com/demonslay335/status/781122627054206976
We will need a sample of the malware to analyze. If you find any malicious or suspicious files, please submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168
I have just submitted it for analysis. I'm 99.9% sure thats the one that caused the problems. Came in an email attachment, disguised as a fedex email.
Posted 29 September 2016 - 08:56 AM
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 29 September 2016 - 05:52 PM
That was a Nemucod dropper sample that drops the PHP variant of Nemucod's own ransomware. Afraid it was not Princess Locker.
Bummer. I'm working on the machine through remote desktop as its a long way away. I'll take a backup of the drives and get it shipped down to me so I can examine it on an isolated system.
Posted 16 November 2016 - 03:20 PM
Victims may have hope, hasherezade is working on a decrypter.
https://twitter.com/hasherezade/status/798979874455257088
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 16 November 2016 - 09:09 PM
Victims may have hope, hasherezade is working on a decrypter.
Some good news hopefully.
I've only just had the hard drives delivered to me from our remote site and I can't find the bloody ransomware on the drive which makes me think either the virus scanner canned it, it was run from somebodys usb, the person who run it had deleted it (or was purged from their internet temp files when they logged out). Its good news somebody else found a copy to play with. Even better if they have a working decryptor, it means the few files which were not in the last nights backup can be recovered without too much data loss.
I would have loved to had done a file recovery on the drive, but they are hosted on virtual drives in HyperV and too much had been overwritten by the time I got called in on the job. It looked like it simply deleted the files after creating the encrypted copys.
Posted 16 November 2016 - 10:57 PM
@All
If anyone has been affected by this ransomware, please share a few encrypted files, and you will receive private help.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 18 November 2016 - 11:42 AM
hasherezade has released a full tool for victims to decrypt their files, she also added the ability to decrypt folders.
https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/
Thanks to hasherezade for her work as always.
ID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]
RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]
CryptoSearch - Find Files Encrypted by Ransomware [Support Topic]
If I have helped you and you wish to support my ransomware fighting, you may support me here.
0 members, 0 guests, 0 anonymous users