Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom paid - now they want more. Help :(


  • Please log in to reply
6 replies to this topic

#1 Simon75

Simon75

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 25 October 2016 - 12:56 PM

Hello,

 

A local business contacted me as their software had stopped working.  It turned out they had a ransomware infection (.SLC and the occasional .LOL! extension).  Either CryptFile2 or Zeta.  None of the Kaspersky tools work.  90GB of data encrypted and no backup.

 

Around half of the files were recovered to an external drive, using Shadow Explorer.  Recuva Pro recovered a handful more.

 

Their most important files are still encrypted.

 

So, with no other option, I e-mailed the address given in the .TXT files littered about the folders.  They asked for 10 bitcoins - a rather large sum by anyone's standards.  I said I could afford only £800 GBP, (1.42 bitcoins at the time of the transfer).   This was agreed and the ransom paid.

 

A few hours have passed and I've just had this message:

 

We just have received the answer from the Main Server. 
 
We are really sorry but You need to add a 4 bitcoins.
 
It`s the best deal for You. We tried to help You.
 
Excuse us again please. 
 
Best regards!

 

 

The business and I are at a loss for what to do at this point.  Not having the data is not an option.

 

Does anyone have a recommendation for what we should do?

 

Simon 


Edited by Simon75, 25 October 2016 - 01:01 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 PM

Posted 25 October 2016 - 01:14 PM

Did you email them from the company's email domain?



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:48 PM

Posted 25 October 2016 - 01:14 PM

There's nothing else you really can do. This is one reason security experts recommend against paying; they are criminals afterall, and you are just encouraging extortion. If they had no backups, then whatever you could get with ShadowExplorer or Recuva is all they will be able to get basically. You could try TestDisk or PhotoRec. Otherwise, you can only backup the encrypted data and hope for the future.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Simon75

Simon75
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 25 October 2016 - 01:30 PM

Did you email them from the company's email domain?

 

No, I setup a yahoo account on a VM with CyberGhost installed.  I didn't say I was a business and the test file I sent them to decrypt was just a family photo they happened to have laying around.



#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,621 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 PM

Posted 25 October 2016 - 05:01 PM

Strange..time to get the word out then if these people are going to pull this bleep.

 

 

So your client was infected with two ransomware infections?



#6 Simon75

Simon75
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 26 October 2016 - 04:41 AM

So your client was infected with two ransomware infections?

 

 

Well, I'm not sure.  It sure is odd.  They got hit on Sunday night, 47,000 files encrypted.  Those files have .SCL extensions.  In addition to that, there were just over 1,000 files with .LOL! extensions, some of which were modified on Sunday, but most of which had creation dates of 20 Jun 2013.  Nothing I've seen says that these viruses mess with or fake creation/modification datestamps on the files?  I've not looked into it properly really.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 26 October 2016 - 06:05 AM

...Those files have .SCL extensions.  In addition to that, there were just over 1,000 files with .LOL! extensions, some of which were modified on Sunday, but most of which had creation dates of 20 Jun 2013...

Any files that are encrypted with CryptoMix Ransomware (CryptFile2) will have an <id number>.<email>_.code or <id number>.<email>_.scl extension appended to the end of the encrypted data filename and leave files (ransom notes) named HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT.

Any files that are encrypted with Zeta Ransomware will have the .id_<id-number>_email_zeta@dr.com.scl extension appended to the end of the encrypted data filename and leave files (ransom notes) named HELP_YOUR_FILES.HTML and HELP_YOUR_FILES.TXT.

Any files that are encrypted by .LOL! (.OMG!) Ransomware will have an .LOL! or .OMG! extension appended to the end of the encrypted data filename.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users