Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fs0ciety Locker Ransomware Help & Support (fs0ciety.html)


  • Please log in to reply
30 replies to this topic

#1 azodnemyar

azodnemyar

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 30 September 2016 - 07:27 PM

Hey guys,
 
I have read literally every page google throws out regarding the fs0ciety locker virus.  I've got tens of thousands of files that were encrypted and need to get them back.  Sadly no, we didn't have backups.  I even ran a python script that was posted somewhere based on the alpha version detected of this virus.  The key was hard-coded in the source code as "123456789123456" - but that hasn't worked.  
Just wondering if anyone else is seeing this too...??  ::take a deep breath and hope someone has info:::

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:27 PM

Posted 30 September 2016 - 07:40 PM

Do you have a sample of the malware itself that caused the encryption? I've only seen dev versions of any FSociety ransomware, including the one based on EDA2.

What is the extension on your files and is there a ransom note?

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 30 September 2016 - 07:48 PM

Do you have a sample of the malware itself that caused the encryption? I've only seen dev versions of any FSociety ransomware, including the one based on EDA2.

What is the extension on your files and is there a ransom note?

 

Thanks for your reply.  I am trying to get the malware itself.  In an effort to prevent encryption of 100% of our data we began removing workstations from the network and are scanning them individually offline; which makes it longer and harder to track down the source of infection.  It did get to infect about 40% of our network shares.  It has renamed each file to:

 

<original filename>.realfs0ciety@sigaint.org.fs0ciety

 

Once we find the culprit we'll be able to post more logs -- but that may be a while and was hoping we weren't the only ones to fall victim to this attack.  If you know of anything that may help please let me know.  



#4 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 30 September 2016 - 08:00 PM

Also no ransom note as we may have stopped it before it got to that point

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:27 PM

Posted 30 September 2016 - 08:06 PM

The new owner of the files should narrow down the user account that's encrypting, which should narrow down what workstation it could be.

Edited by Demonslay335, 30 September 2016 - 08:06 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 30 September 2016 - 08:09 PM

Thanks. Will get that next!

#7 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 30 September 2016 - 09:10 PM

Found virus to be at:

C:\users\ricoh\driver_update.exe

Also - a file named discovered.txt which contains a list of files to be encrypted.

Lastly a file named: 57BJWKEVebQtD8d1Z64pk0ymSB3NYyiI

Which looks like a MD5 hash. The contents of the file contain:

µû#²*xU
knHË¢ëÛÄ

Does that make sense to anyone?

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:27 PM

Posted 30 September 2016 - 09:58 PM

You may submit the malicious files here for analysis: http://www.bleepingcomputer.com/submit-malware.php?channel=168

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 30 September 2016 - 10:13 PM

Submitted! Thanks

#10 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:27 PM

Posted 01 October 2016 - 07:38 AM

Looks like a Python ransomware. Any chance you can provide us with some encrypted files? You can upload them the same way as before.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#11 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 01 October 2016 - 12:31 PM

Looks like a Python ransomware. Any chance you can provide us with some encrypted files? You can upload them the same way as before.

 

 

Sent several png and jpg images.  If you need different file types let me know!   Thanks for your reply!



#12 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:27 PM

Posted 01 October 2016 - 01:03 PM

Thanks. Any chance you can tell me the ID the ransomware assigned to you?
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#13 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 01 October 2016 - 08:04 PM

Thanks. Any chance you can tell me the ID the ransomware assigned to you?

 

 

I apologize for not understanding your question.  Where would I find that ID?



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:27 PM

Posted 01 October 2016 - 08:19 PM

 

Thanks. Any chance you can tell me the ID the ransomware assigned to you?

 

 

I apologize for not understanding your question.  Where would I find that ID?

 

 

It should be in the ransom note, which is called "fs0ciety.html". It will have the text "Your Unique 16 Byte Identifier:" followed by a random string. That is the ID. The file may located in the same directory the malware ran, which may be in %TEMP%.

 

If you do not have a ransom note, I don't think there will be any other way to get the ID, and we'll have to find another way to try recovering the files. The malware is currently under analysis right now.


Edited by Demonslay335, 01 October 2016 - 08:21 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 azodnemyar

azodnemyar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 01 October 2016 - 10:07 PM

 

 

Thanks. Any chance you can tell me the ID the ransomware assigned to you?

 

 

I apologize for not understanding your question.  Where would I find that ID?

 

 

It should be in the ransom note, which is called "fs0ciety.html". It will have the text "Your Unique 16 Byte Identifier:" followed by a random string. That is the ID. The file may located in the same directory the malware ran, which may be in %TEMP%.

 

If you do not have a ransom note, I don't think there will be any other way to get the ID, and we'll have to find another way to try recovering the files. The malware is currently under analysis right now.

 

 

 

 

Just searched for all files *fs0ciety*.html / htm and didn't find any results on the 3 infected systems on the network that were wreaking havoc.  I'm wondering if we stopped it before generation of this file.  Keep in mind that we found a file that seemed to contain a hash (possibly an ID) of some sort located in same directory of executable.  c:\users\ricoh\downloads\<random string>  That files was submitted as well.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users