Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT


  • Please log in to reply
23 replies to this topic

#1 Y2Breeze

Y2Breeze

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 17 October 2016 - 12:06 PM

Hi
 
A client of mine got infected by something that looks like the Gomasom ransomware, but the end files are all in *.tar
 
Here are 2 zip files, one with crypted files and the other with the same file from and old offline backup.
 
Any idea how to decryp this?
 
hxxp://datatest.simonznet.com/RANSOMWARE/
 
Thanks
 
Olivier

BC AdBot (Login to Remove)

 


m

#2 Y2Breeze

Y2Breeze
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 17 October 2016 - 12:08 PM

There was no instruction for decryp left on the computer. I wrote to the email using a random email and here is their answer

 

 

Good day

Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin

Recommend to solve the problem quickly and not to delay

Also give advice on how to protect Your server against threats from the network

(Files sql mdf backup decryption strictly after payment)!



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 17 October 2016 - 12:33 PM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 17 October 2016 - 12:33 PM


Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Y2Breeze

Y2Breeze
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 17 October 2016 - 12:39 PM

ID Ransomware cannot identify the ransomware.

 

SHA1 is fd65d1e0b248c8ec254ab3086f5877ff2065d72a

 

Sending the files to your second link right now.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 17 October 2016 - 02:58 PM

Ok.

After our experts examine the files, they will post in this topic if they can assist or need further information.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 mike 1

mike 1

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:11:44 AM

Posted 17 October 2016 - 03:21 PM

This is Trojan-Ransom.Win32.Rotor. 

 

Sample: https://www.hybrid-analysis.com/sample/e4a60a227edaff8c43cf1b318f45e70d23fa5c068fb5d578cb8aeb87358866f6?environmentId=100

VT: https://www.virustotal.com/ru/file/e4a60a227edaff8c43cf1b318f45e70d23fa5c068fb5d578cb8aeb87358866f6/analysis/


Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:


#8 SamsonFromTheBible

SamsonFromTheBible

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:44 AM

Posted 18 October 2016 - 05:09 AM

 Is the virus on Mac by any chance?



#9 Y2Breeze

Y2Breeze
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 18 October 2016 - 10:03 AM

No, Windows 7



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:44 AM

Posted 18 October 2016 - 06:54 PM

Interesting, I have not seen a ransomware use ".tar". It isn't a valid Tar archive either. Can you also upload the ransom note to ID Ransomware so I can archive it?

 

Thanks for the sample mike1. Has any further analysis been done on it already? It crashed on my VM. I see RakhniDecryptor lists it, but it stated unsupported when I selected this user's files.


Edited by Demonslay335, 18 October 2016 - 06:55 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Y2Breeze

Y2Breeze
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 20 October 2016 - 11:56 AM

There is no ransom note anywhere. All we figure out was to try to write to the email Embedded in encrypted files filename.



#12 mike 1

mike 1

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:11:44 AM

Posted 21 October 2016 - 05:10 AM

Thanks for the sample mike1. Has any further analysis been done on it already? It crashed on my VM. I see RakhniDecryptor lists it, but it stated unsupported when I selected this user's files.

Tech support at Kaspersky Lab said that can not decrypted.


Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:


#13 mike 1

mike 1

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:11:44 AM

Posted 31 October 2016 - 10:23 AM

https://www.virustotal.com/ru/file/b20177fa76cc97cfb9d6d7425d636ade46980420ca1d8b5f8b662d4ba8cb1ba8/analysis/

 

RotoCrypt. Variant  ___ELIZABETH7@PROTONMAIL.COM____crypt


Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:


#14 jumpline

jumpline

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:10:44 AM

Posted 03 November 2016 - 05:02 AM

Hello, can someone help with a decoder? It encrypts all files !_____LIKBEZ77777@GMAIL.COM____.c400
Below are links to a virus and a link to the encrypted file.

http://www.filedropper.com/viruspass123 (password 123)

http://www.filedropper.com/perenosdannyhxmllikbez77777gmailcom



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 03 November 2016 - 05:50 AM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users