Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ASN1 Ransomware Key: How to use it?


  • Please log in to reply
17 replies to this topic

#1 test0r

test0r

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 PM

Posted 21 October 2016 - 04:10 AM

Hello guys,
 
my friend got affected from a new ransomware (looks like a homebrew one), he paid the ransom of 0.25BTC and the website displayed a strange code with an ASN1 key.
 
Is that the key needed to decrypt his files? how to use it? the decryptor on the website (segui.exe) is missing so im left with the key
 
Thanks
 
Ransomware information:
website: hxxp://dxostywsduvmn6ra.onion
personal link: hxxps://goo.gl/P5BpDK

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 PM

Posted 21 October 2016 - 06:16 AM

More information is needed to determine specifically what infection your friend is dealing with since there are many variants of crypto malware ransomware.

Are there any obvious file extensions appended to or with your data files?

Did your friend find any ransom notes? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 test0r

test0r
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 PM

Posted 21 October 2016 - 06:46 AM

I've uploaded a crypted file (no file extension appended) and pasted the readme file: seems like a very badcoded ransomware.

 

Here a few more information:

 

SHA1: c9412fa5938853ff44cb5d6791cd940f438e73ff

ASN1key: lib19c7cf669f3b47555440624987213a84

 

Hoping for help on how to use the key.

 

Regards



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 PM

Posted 21 October 2016 - 07:44 AM

Demonslay335 will most likely be online later today.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 PM

Posted 21 October 2016 - 08:05 AM

I know what ransom note you are talking about, I saw it come through ID Ransomware yesterday and set out a hunt. I'm on mobile now, will have more info later. I also was unable to download the segui.exe, got a 404.

Do you have the malware that caused the infection, or know how they got it? We will need it for analysis.

https://twitter.com/demonslay335/status/789121686302064644?s=09

Edited by Demonslay335, 21 October 2016 - 08:23 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 test0r

test0r
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 PM

Posted 21 October 2016 - 11:27 AM

The malware was delivered via a Certified email from an infected client, thats why my friend opened the file.

 

There is no .exe/.bat on his pc, just some registry values found with malwarebytes.

 

Im trying to find decryptolocker.exe to use the key but seems impossible to find anymore on the internet, anyone still have it?

 

anyone else got this ransomware??



#7 test0r

test0r
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 PM

Posted 21 October 2016 - 11:28 AM

anyway the domain "dxostywsduvmn6ra" is open:

 

Index of /
[ICO] Name Last modified Size Description
[ ] hll.php 2016-10-21 14:59 4.7K
[ ] if.php 2016-10-21 15:01 5.4K
[ ] msg.php 2016-10-21 15:00 1.9K
[ ] pst.php 2016-10-21 15:00 883

 

and this is the error if you try to message the hacker via the support button:

 

ER:Access denied for user 'sentinel'@'localhost' (using password: YES)


Edited by test0r, 21 October 2016 - 11:29 AM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 PM

Posted 21 October 2016 - 04:54 PM

Interesting, I always forget to check for open directories. :P

 

I'm not sure what "decryptolocer.exe" you are referring to, but it would be for one particular ransomware variant. I'm assuming you mean the one built for the original (dead) CryptoLocker from 2014. Every ransomware is different, and a decrypter for one variant will not decrypt files encrypted by another.

 

If you still have the email with the malware, you may PM me for an email address to send it to.

 

*Edit

I see logs of other submissions of the same ransom note to ID Ransomware from only a handful of victims starting 09/09/16 from Greece, Serbia, US, and Italy. I have added a detection rule to point any new submissions to this topic.


Edited by Demonslay335, 21 October 2016 - 05:07 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 test0r

test0r
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 PM

Posted 24 October 2016 - 03:10 AM

I don't have the email with the malware anymore but im trying to recover it!

 

Do the other infected people have the same onion link? did they manage to get the segui.exe files?

 

Thanks



#10 test0r

test0r
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:32 PM

Posted 25 October 2016 - 05:58 AM

any news??



#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 PM

Posted 25 October 2016 - 08:02 AM

We can't do anything until a sample of the malware is acquired for analysis. If we find anything, we'll be sure to post it here.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,427 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 PM

Posted 18 November 2016 - 08:59 PM

A sample of this was found thanks to @dvk01uk, will be taking a look at it soon.

 

https://twitter.com/dvk01uk/status/799733926466125824


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 Letouane

Letouane

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 18 January 2017 - 02:49 PM

Hello,

 

One of my users has been infected by this ransomware. I think I have extracted the virus, so in any case you can help me to decrypt his files, I uploaded a zip file containing the virus here.

Maybe you will need the readme and a encrypted file so let me know.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 PM

Posted 18 January 2017 - 05:09 PM

Since we have not had any reports in a while, you can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Letouane

Letouane

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 20 January 2017 - 07:10 PM

Hi Quietman, Many thanks for your answer, your time and the informations provided. I tried at first to submit the samples to ID Ransomware, that's how I found the link of this topic. So I uploaded you 4 files : 1 - catsdxof.exe - which is, as I imagine, the virus itself. 2 - 9e3cf1cc.exe.dat - a suspect "exe.dat" file. 3 - !!!!!readme!!!!!.htm - the only readme readable (on the desktop of the infected computer). 4 - Formulaire CAPEX à remplir.pptx - An encrypted powerpoint document. By the way let me know if I can provide you more informations or anything else that can help you :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users