Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ransomware?


  • Please log in to reply
4 replies to this topic

#1 ss911der

ss911der

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 10 November 2016 - 11:30 PM

Hello,

 

Today I ran into a Windows 2008 Server that has a C: and D: partition. It seems like D: was wiped out as there isn't any encrypted files, just a text document named READ ME which is also on C:. Most programs are inaccessible and the start menu is empty, so I am afraid to restart at this point. Backups were done with the built-in Windows Server Backup, which I cannot start due to not being able to run since right-clicking on computer and choosing manage does nothing. When opening the READ ME file that was left, it says the following:

 

Hi, I infiltrate your system in your system Small Diameter I found Open and TIM encrypted files in Figure I Kirilmiycak
Password we have created as a term of 12 Eger Clock Transformation yapilmass encrypt with the self-destruction of my files to edicem
You've done a nonsense question why not check mail asking why he did how did you throw your silly hair mails
alamiycaks answer your funny figures do not offer you just specify your e-mail us to dispose of sufficient olucam REFERENCE NUMBERS
We determined we price according to price your reference number that you go to the center belirtcez verikurtar olucaktir reason to spend anchor bose
geçmiyce is a sheer waste of time on your hands like I said, when we chose has nonetheless self-destruct after 12 hours to edicem
ediceks payment receiving, we have time to continue where the old scale leakage and a taller one thing you will certainly basia gelmiyce
açiginizi security laws in something you do not taller than the one that you said belirticez after 30 minutes after receiving the payment system
olucaktir as you suspected it before we olmasin mail address
                              
                                                  Best regards

Hola He encontrado en su sistema, que infiltrarse en su sistema en el pequeño diámetro y tum archivos cifrados en la Figura I Kirilmiycak
Contraseña hemos creado como un término de 12 cifrar Eger Reloj Transformación yapilmass con la autodestrucción de mis archivos a edicem
Usted ha hecho una pregunta sin sentido por qué no comprobar el correo preguntando por qué no ¿cómo lanzar su correo electrónico para el cabello tontas
divertidas figuras no ofrecen respuestas a sus alamiycaks lo suficiente nos olucam proporcionar su dirección de correo electrónico que pone a cabo la cuerda
cuerda establecido de acuerdo con el precio que tenemos que ir a Dresde ese precio belirtcez verikurtar la razón olucaktir centro de anclaje para pasar Bose
geçmiyce es una pura pérdida de tiempo en sus manos, como he dicho, cuando elegimos tiene, no obstante, se autodestruyen después de 12 horas a edicem
ediceks de recibir el pago, tenemos tiempo para seguir donde el viejo fugas escala y uno más alto que se quiere gelmiyce duda Basia
las leyes de seguridad açiginizi en algo que se hace no más alto que el que usted ha dicho belirticez después de 30 minutos después de recibir el sistema de pago
olucaktir como usted sospechaba que antes de que olmasin correo electrónico
                              
                                                  saludos

 

yedeksecurty@gmail.com
yedeksecurty@gmail.com
yedeksecurty@gmail.com
yedeksecurty@gmail.com
                                                          REFERANS NUMARANIZ:01++



BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 PM

Posted 11 November 2016 - 01:56 AM

I saw your note come through ID Ransomware not too long ago. The message sure is hard to read, let alone comprehend...

Can you share a few encrypted files? I haven't seen that ransom note before, must be something new, probably spread through compromised RDP access. If you can find the malware itself that caused the encryption, that would be the most useful for analysis.

I would recommend putting the server into hibernate and running scans externally until you know what you are dealing with. Also try ShadowExplorer from another PC, always worth a try.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 ss911der

ss911der
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 11 November 2016 - 02:07 AM

Thanks for the reply. I believe it is also from a compromised RDP as I found Revouninstaller was installed on the machine close to the same timeframe of the ransom text file. Luckily they didn't hit the Windows Server Backup which I am using to restore now. I was able to start it by going to the system32 folder and running mmc then adding in the module. Whew! 

RDP is running on a different port then the default and I believe one of the users has a fairly easy password, so probably brute force is my guess. RDP seems pretty vulnerable... Is there a fairly easy and cost effective way to block someone after they failed so many attempts?

There wasn't any files with relevant crypto type virus extensions despite the ransom letter. If they want a ransom they need to learn better english, lol!



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 PM

Posted 11 November 2016 - 08:03 AM

The best way to secure RDP is to either whitelist IPs on a firewall, or even better, to not expose it to the internet period. Put it behind a firewall, only allow RDP from local traffic, and setup a VPN to the firewall. Hackers will always have ways around anything that simply blocks an IP after too many attempts. They use multiple compromised systems or even could use botnets.

And of course, enforce strong password policies, especially on any admin accounts or those with RDP priveledges.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Amigo-A

Amigo-A

  • Members
  • 249 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:34 AM

Posted 12 April 2017 - 02:42 PM

Linked with BTCWare Ransomware
Description:
 

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users