Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help to ID .locked variant


  • Please log in to reply
18 replies to this topic

#1 mrxerox

mrxerox

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 02:32 PM

Customer of mine became infected and the workstation and server are now full of .locked files. Attempted to ID this all evening but there is no ransom note anywhere just the files. Finally gave up and paid the .33 bitcoin ransom but is never decrypted.  I have tried the philadelphia brute force unlock with no luck. Can anyone point me in the right direction to get started on this thing? Any help would be greatly appreciated.



BC AdBot (Login to Remove)

 


#2 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:53 PM

Posted 16 November 2016 - 02:35 PM

Is the base name of the file changed?


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#3 mrxerox

mrxerox
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 02:36 PM

No, it just added a .locked to the end of every file.



#4 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:53 PM

Posted 16 November 2016 - 02:39 PM

That rules out Philadelphia already, leaving either Nemucod or Stampado. Can you open up an encrypted text file that is bigger than 1 kb in Notepad and check if the text is readable after the first 1 kb?


Edited by Fabian Wosar, 16 November 2016 - 02:40 PM.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#5 mrxerox

mrxerox
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 02:51 PM

No, looks like all asian character set when opened in notepad



#6 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:53 PM

Posted 16 November 2016 - 02:58 PM

So most likely Stampado. Can you check your system and logs for any files named scvhost.exe? That's the file name Stampado uses :)


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#7 mrxerox

mrxerox
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 03:07 PM

I have cleaned the system up, where in the logs would I look for it?



#8 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:53 PM

Posted 16 November 2016 - 03:30 PM

In the logs of the tools you used to clean the system ;)


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#9 mrxerox

mrxerox
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 03:54 PM

I used malwarebytes and it did not come up with much so then I used hijackthis and cleaned up all the stuff starting out that looked suspect. There were a few .exe files in the appdata/roaming that I kept and I still have a screenshot of what the ransom screen looked like if that helps?



#10 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:53 PM

Posted 16 November 2016 - 04:08 PM

Yes. Please share them :)


Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#11 mrxerox

mrxerox
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 05:29 PM

Pardon my ignorance but how to I attach pictures to this post?



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:53 AM

Posted 16 November 2016 - 05:40 PM

Pardon my ignorance but how to I attach pictures to this post?

 

This forum does not allow attachments. You can share the picture using a third-party site such as Imgur or SendSpace and share the link here.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 mrxerox

mrxerox
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 06:38 PM

Gotcha. Here is a screenshot of the files and randsom pic:

 

https://www.sendspace.com/filegroup/YmZvXZwrjqB31LY6MseCrA



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:53 AM

Posted 16 November 2016 - 06:52 PM

Gotcha. Here is a screenshot of the files and randsom pic:

 

https://www.sendspace.com/filegroup/YmZvXZwrjqB31LY6MseCrA

 

Can you please zip up all of those files and submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

It looks new, and possibly made from AutoIT from the icon, so it should be easy to reverse for analysis.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 mrxerox

mrxerox
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 16 November 2016 - 06:57 PM

Sent. Thanks for you guys time on this!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users