Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do anybody know how it is encrypted?


  • Please log in to reply
24 replies to this topic

#1 Tmk969

Tmk969

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 November 2016 - 07:06 PM

I didn't find any files who attacked me. What Ransomware it is?

 

This is link to some encrypted files: https://www.dropbox.com/s/sxf1g2ozdz340kg/temp.zip?dl=0


Edited by Tmk969, 11 November 2016 - 07:07 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 AM

Posted 11 November 2016 - 08:02 PM

Are there any obvious file extensions appended to or with your encrypted data files?

Did you find any ransom notes? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 November 2016 - 09:12 PM

Hallo, yes, i checked everything, any note and files don't have any extension, nothing changed, they are just encrypted. - also ID Ransomware, didn't recognized.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 AM

Posted 11 November 2016 - 09:20 PM

There are a few variants which do not append an obvious extension to the end of encrypted filenames...i.e. CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker. Instead some of them typically add a unique hex pattern identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted.

This could be a new one. We will have to wait for Demonslay335 or one of our other crypto-malware experts to weight in.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 November 2016 - 03:53 AM

When i open photos with notepad - jpg files, i see different symbols, even different language, any similarities till now.


Edited by Tmk969, 12 November 2016 - 04:34 AM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:40 AM

Posted 12 November 2016 - 10:59 AM

There is no visible hex pattern in the files, ID Ransomware would have picked up on a known one. Were these pictures renamed, or is that the original filename? The only way to identify will be with a ransom note (how else are you expected to pay a ransom?), or if you have a sample of the malware that caused it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 12 November 2016 - 12:41 PM

In addition it will help if you provide encrypted file samples that aren't already compressed in their original file format. That means any office document (word, powerpoint, excel, ...) and any uncompressed image, audio or video formats (e.g, bmp, wav) are better for us than jpg files. The reason is that the compressed formats look much like encrypted files and it is hard to see if the encryption is weak or if only parts of the file were encrypted.

 

Larger files (>2 MB) should also be preferred, because some ransomware families encrypt only up to a certain size limit. Such a limit is an indicator for the ransomware that caused this.



#8 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 November 2016 - 04:54 PM

There is no visible hex pattern in the files, ID Ransomware would have picked up on a known one. Were these pictures renamed, or is that the original filename? The only way to identify will be with a ransom note (how else are you expected to pay a ransom?), or if you have a sample of the malware that caused it.

All names are original. I didn't find any note or something, where to pay or for who. So also any name of the malware. Maybe it was Kotver.C


Edited by Tmk969, 12 November 2016 - 04:54 PM.


#9 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 November 2016 - 05:01 PM

In addition it will help if you provide encrypted file samples that aren't already compressed in their original file format. That means any office document (word, powerpoint, excel, ...) and any uncompressed image, audio or video formats (e.g, bmp, wav) are better for us than jpg files. The reason is that the compressed formats look much like encrypted files and it is hard to see if the encryption is weak or if only parts of the file were encrypted.

 

Larger files (>2 MB) should also be preferred, because some ransomware families encrypt only up to a certain size limit. Such a limit is an indicator for the ransomware that caused this.

Raw file of the photo: https://www.dropbox.com/s/wbj2zlh40kktudy/AS6A5224.CR2?dl=0

 

I can add word file, but it will be smaller than 2mb.



#10 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 12 November 2016 - 05:27 PM

There is indeed a clue in it. The file has a "neck". So far I have only seen this from a chinese ransomware called "Shujin".

That's your file:

w1U1Ayq.png

That's the encrypted bait file for the chinese ransomware:

Ch4gvWqW0AE7VyA.jpg

 

It does not mean that Shujin was for sure the cause for the encrypted files, but it is the only clue I have for now.



#11 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 November 2016 - 05:55 PM

I also have found strange .bak file, in which i can see the list of all files that was attacked.



#12 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 13 November 2016 - 08:54 AM

Maybe it can help? Post it?



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:40 AM

Posted 13 November 2016 - 09:06 AM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 13 November 2016 - 09:16 AM

Ok, thank you :)



#15 Tmk969

Tmk969
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 13 November 2016 - 01:53 PM

It could be be Kotver.C






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users