Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to restore files.hta [ helptoyou1@india.com.lock]


  • Please log in to reply
51 replies to this topic

#1 Molarov

Molarov

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 24 November 2016 - 09:46 AM

hellow
 
ransomware attacked my remote control server and ransom my files .
the ransomware ID give me 2  results Globe and Brazilian ransomware and i'm not sure which one the one i'v been attacked with .
 
i have 2 different ransom note :
 
HOW TO DECRYPT FILES.txt
 
and
 
How to restore files.hta
 
all the encrypted files with extension .lock
 
( i use the server for small business and my files are database sql )
 
i tried to restore the files in picture folder the one comes as wallpaper for win7 and the files changed to
Desert.jpg!______SUFNEX331@GMAIL.COM______.crypt.id-56A69651.systemdown@india.com.xtb
 
i'm not sure but i think i was attacked with several ransom wares !

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:44 AM

Posted 24 November 2016 - 10:08 AM

It looks like a layer of CrySiS which can be decrypted by Kaspersky or ESET's decrypter. Then it may be a layer of Gomasom, not totally sure.

Your info is also conflicting. I don't see .lock in the filename you have provided. Can you share a few encrypted files and the ransom note on a third-party sharing site such as SendSpace and post the link here?

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 24 November 2016 - 10:15 AM

Desert.jpg!______SUFNEX331@GMAIL.COM______

 

it looks like a Rotocrypt

http://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-help-topic-tar-c400-extensions/



#4 Molarov

Molarov
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 24 November 2016 - 10:16 AM

sure

here is sample with both ransom notes

https://ufile.io/03c27



#5 Molarov

Molarov
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 24 November 2016 - 02:03 PM

It looks like a layer of CrySiS which can be decrypted by Kaspersky or ESET's decrypter. Then it may be a layer of Gomasom, not totally sure.

Your info is also conflicting. I don't see .lock in the filename you have provided. Can you share a few encrypted files and the ransom note on a third-party sharing site such as SendSpace and post the link here?

 
is it good idea to try this or should i wait

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:44 PM

Posted 24 November 2016 - 06:44 PM

I suggest you wait for Demonslay33.

My anti-virus blocked the link you provided above as a threat so I removed it to protect other users from going there. That link appears to be one of many bogus malware removal sites.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Molarov

Molarov
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 26 November 2016 - 07:58 AM

I suggest you wait for Demonslay33.

My anti-virus blocked the link you provided above as a threat so I removed it to protect other users from going there. That link appears to be one of many bogus malware removal sites.

thanks and i'll wait



#8 Molarov

Molarov
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 28 November 2016 - 04:30 AM

any news ?



#9 Gamer1120

Gamer1120

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 28 November 2016 - 06:42 AM

Someone I know got infected with a ransomware which changed the file names to <14 random characters>.rescuers@india.com.3392cYAn548QZeUf.lock.rescuers@india.com.lock. An example of such a file, plus the original, can be found here: https://drive.google.com/file/d/0B53y4LXTjJsgMmNLcFd0TWtlbUE/view?usp=sharing

It's not the Brazilian ransomware with the .lock extension. I've tried the HiddenTear decryptor, but that didn't do anything. I currently don't have access to the machine anymore, but it left a text file: http://i.imgur.com/rOJmFJL.jpg and a .hta file, in which it asked for 1 BTC as ransom. Is there any chance of free decryption? I couldn't find the ransomware executable. Shadow Explorer almost worked, but Windows decided to remove the shadow copy in the middle of the restore, so it didn't complete. If free decryption is not possible, does anyone know if you get a decryptor if you pay? We've contacted the e-mail, but haven't got a response yet. It encrypted all files on the hard drive (well, most of them), and everything on the network shares.


Edited by Gamer1120, 28 November 2016 - 06:42 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:44 PM

Posted 28 November 2016 - 07:30 AM

Could be a newer variant of one of these.You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:44 PM

Posted 28 November 2016 - 07:32 AM

Not that I am aware of just yet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Gamer1120

Gamer1120

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 28 November 2016 - 07:52 AM

When I submitted the encrypted file, it said it was the Brazilian virus or something. I've managed to get hold of the .hta file with the ransom, which I'll upload as soon as I get to a computer.

#13 Gamer1120

Gamer1120

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 28 November 2016 - 08:06 AM

The ransom note is here: https://drive.google.com/file/d/0B53y4LXTjJsgaDhjUlhTQkdjRTQ/view?usp=sharing

ID ransomware tells me it's Globe, http://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/

but this doesn't make sense, since the extension of the files don't match up. It also tells me it could be Brazilian ransomware: http://www.bleepingcomputer.com/forums/t/610372/brazillian-lock-ransomware-help-support-topic-mensagemtxt/ but the desktop image didn't get changed, and the extension is different.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:44 PM

Posted 28 November 2016 - 08:15 AM

Demonslay335 is not logged in at the moment but most likely will be later on today.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Gamer1120

Gamer1120

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 28 November 2016 - 08:18 AM

As soon as I can get access to the infected computer, I will start looking. Any idea where to start looking? Appdata?

EDIT: Trend Micro Ransomware File Decryptor could not decrypt the file, given that it was Globe.


Edited by Gamer1120, 28 November 2016 - 08:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users