Jump to content
Posted 24 November 2016 - 09:46 AM
Posted 24 November 2016 - 10:08 AM
If I have helped you and you wish to support my ransomware fighting, you may support me here.
Posted 24 November 2016 - 10:15 AM
it looks like a Rotocrypt
Posted 24 November 2016 - 02:03 PM
It looks like a layer of CrySiS which can be decrypted by Kaspersky or ESET's decrypter. Then it may be a layer of Gomasom, not totally sure.
Your info is also conflicting. I don't see .lock in the filename you have provided. Can you share a few encrypted files and the ransom note on a third-party sharing site such as SendSpace and post the link here?
Posted 24 November 2016 - 06:44 PM
Posted 26 November 2016 - 07:58 AM
I suggest you wait for Demonslay33.
My anti-virus blocked the link you provided above as a threat so I removed it to protect other users from going there. That link appears to be one of many bogus malware removal sites.
thanks and i'll wait
Posted 28 November 2016 - 06:42 AM
Someone I know got infected with a ransomware which changed the file names to <14 random characters>.firstname.lastname@example.orgYAn548QZeUf.email@example.com. An example of such a file, plus the original, can be found here: https://drive.google.com/file/d/0B53y4LXTjJsgMmNLcFd0TWtlbUE/view?usp=sharing
It's not the Brazilian ransomware with the .lock extension. I've tried the HiddenTear decryptor, but that didn't do anything. I currently don't have access to the machine anymore, but it left a text file: http://i.imgur.com/rOJmFJL.jpg and a .hta file, in which it asked for 1 BTC as ransom. Is there any chance of free decryption? I couldn't find the ransomware executable. Shadow Explorer almost worked, but Windows decided to remove the shadow copy in the middle of the restore, so it didn't complete. If free decryption is not possible, does anyone know if you get a decryptor if you pay? We've contacted the e-mail, but haven't got a response yet. It encrypted all files on the hard drive (well, most of them), and everything on the network shares.
Edited by Gamer1120, 28 November 2016 - 06:42 AM.
Posted 28 November 2016 - 07:30 AM
Posted 28 November 2016 - 07:32 AM
Posted 28 November 2016 - 07:52 AM
Posted 28 November 2016 - 08:06 AM
The ransom note is here: https://drive.google.com/file/d/0B53y4LXTjJsgaDhjUlhTQkdjRTQ/view?usp=sharing
ID ransomware tells me it's Globe, http://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/
but this doesn't make sense, since the extension of the files don't match up. It also tells me it could be Brazilian ransomware: http://www.bleepingcomputer.com/forums/t/610372/brazillian-lock-ransomware-help-support-topic-mensagemtxt/ but the desktop image didn't get changed, and the extension is different.
Posted 28 November 2016 - 08:15 AM
Posted 28 November 2016 - 08:18 AM
As soon as I can get access to the infected computer, I will start looking. Any idea where to start looking? Appdata?
EDIT: Trend Micro Ransomware File Decryptor could not decrypt the file, given that it was Globe.
Edited by Gamer1120, 28 November 2016 - 08:22 AM.
0 members, 0 guests, 0 anonymous users