Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CHIP Ransomware Help & Support Topic (CHIP_FILES.TXT)


  • Please log in to reply
4 replies to this topic

#1 mike 1

mike 1

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:07:59 AM

Posted 17 November 2016 - 03:35 PM

Hello guys. 

 

Looks like I found a new cryptolocker

 

 

Ransom note:

 

 

YOUR ID:94ccb192180178f5c8b284ad4026ed3c

 
Hello!
 
All Your files are encrypted!
 
For more specific instructions, please visit a support home page:
 
 
To see this page follow these steps:
 
1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
 
2 - After a successful installation, run the browser
 
3 - Type in the address bar - http://mm6x57ri2coivya6.onion
 
4 - Follow the instructions on the site
 
Attention: DO NOT USE ANY PUBLIC DECRYPTERS! YOU CAN DAMAGE YOUR FILES!
 
Kind regards,
 
Support Team.
 
YOUR ID:94ccb192180178f5c8b284ad4026ed3c (Personal ID)
 
YOUR ID:94ccb192180178f5c8b284ad4026ed3c (Personal ID)
 
YOUR ID:94ccb192180178f5c8b284ad4026ed3c (Personal ID)
 
YOUR ID:94ccb192180178f5c8b284ad4026ed3c (Personal ID)
 
YOUR ID:94ccb192180178f5c8b284ad4026ed3c (Personal ID)

 

 

Encrypted files get the extension: CHIP

 

Cryptography: RSA (The keys gets from the server)

 

Example public key:

-----BEGIN CERTIFICATE-----ipJ1GNIHIoYK7tHHU/mYOdGvFkLRrNjY0IVaP8XTnyU2NqEIda/J478N8UmvK5il47Q2fLIjsIdDRFguwZdZvEyIrx1z40eETliwvTHrvGZQCctzNh77R20ocmReN9MUgRBef2zjhq75wwtb+LMiu9i8wtqTWlT2oXiVukLrAd9Z-----END CERTIFICATE-----

VT: https://www.virustotal.com/ru/file/aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1/analysis/

Sample: https://www.hybrid-analysis.com/sample/aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1?environmentId=100


Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:


BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:59 AM

Posted 17 November 2016 - 04:48 PM

The sample is distributed via EK?

 

Regards,

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 mike 1

mike 1
  • Topic Starter

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:07:59 AM

Posted 17 November 2016 - 04:56 PM

xXToffeeXx,

 

I don't know exactly, but I think via e-mail. According to the note he focuses more on English users.


Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:


#4 brad_malware_traffic

brad_malware_traffic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 17 November 2016 - 09:44 PM

I saw this one on Thursday 2016-11-17 sent by the EITest campaign using Rig-E (Empire Pack) exploit kit.  I've got a write-up about it at:

 

http://www.malware-traffic-analysis.net/2016/11/17/index.html

 

Regards,

 

- brad@malware-traffic-analysis.net



#5 expert_dk

expert_dk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 05 December 2016 - 07:19 AM

CHIP files decryption!

 

This guys itintelligent@consultant.com says that they can decrypt CHIP files (CHIP ransomware,

 

chipme@protonmail.com)


Edited by expert_dk, 05 December 2016 - 07:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users