Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Al-Namrood Ransomware (.access_denied) Support & Help Topic


  • Please log in to reply
78 replies to this topic

#1 giantmonkey

giantmonkey

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:03 AM

Posted 27 November 2016 - 10:06 PM

Hey guys,
 
I haven't been able to find much info on this. I work for a non profit and they have 2 vm's running server 2012 r2 on a hyper-v core.
 
Today I came in and found a ransom-ware notice installed on both VMs saying:
 

All your files were encrypted with strong algorithm AES256 and unique key.
Do not worry, all your files in the safety, but are unavailable at the moment.
To recover the files you need to get special decryption software and personal key.
 
You can contact us:
Primary Email: decryptgroup@inbox.ru
Reserve Email: decryptgroup@india.com
 
Your Personal ID: [removed]
 
Please use public mail service like gmail or yahoo to contact us, because your messages can be not delivered.
 
For fast communication, you can write to us in Jabber: decryptgroup@xmpp.jp
How to register a jabber account: http://www.wikihow.com/Create-a-Jabber-Account
 
You have 3 working days to contact us, otherwise recovering may be harder for you.
 
Regards.

 
The notice was saved on c:\ as Decryption Instructions.txt and put into a registry file in Winlogon > legalnoticetext
 
The files are encrypted with a .access_denied extension.
 
Not all files were encrypted - I think it was running on an account with non admin access.
 
I have VM backups from before we got hit. I am restoring them now as a clone with no network however I want to make sure that the restored VM's are not infected. 
 
Any help would be appreciated.
 
Thanks

BC AdBot (Login to Remove)

 


m

#2 AlNamrood_dev

AlNamrood_dev

  • Banned
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 27 November 2016 - 11:15 PM

According to the contact information it is Apocrysisdxxd :)



#3 giantmonkey

giantmonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:03 AM

Posted 27 November 2016 - 11:29 PM

According to the contact information it is Apocrysisdxxd :)

 

I don't understand, did you just mix three up or something?



#4 AlNamrood_dev

AlNamrood_dev

  • Banned
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 27 November 2016 - 11:47 PM

Oh, let me tech you how to detect any ransomware, my friend :)

 

mail.ru? - Apocalypse.

india.com? - Crysis.

jabber? - DXXD.

 

= Apocrysisdxxd.

 

Its easy.



#5 AlNamrood_dev

AlNamrood_dev

  • Banned
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 28 November 2016 - 12:04 AM

Seriously: It is a test variant of Al-Namrood :)



#6 giantmonkey

giantmonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:03 AM

Posted 28 November 2016 - 12:22 AM

I'm a beta tester? Lucky me.



#7 AlNamrood_dev

AlNamrood_dev

  • Banned
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 28 November 2016 - 12:23 AM

Yes, you are very lucky :)



#8 rayray403

rayray403

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 28 November 2016 - 12:45 AM

just got back from a week vacation and found out 3 servers are infected with this BS.

they want 10 BTC.  any way to fix this?  they hacked the backup somehow.  trying to load it to do a restore..



#9 giantmonkey

giantmonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:03 AM

Posted 28 November 2016 - 02:02 AM

Hey if its a test can you send me the key to see if it unlocks? I'd be doing you a favor really...



#10 rayray403

rayray403

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 28 November 2016 - 02:06 AM

I've email emisoft to see if they can help.  test?

they want 10 BTC which is like 10k.  Ridiculous.. reinstalling my windows backup feature still.. 

how much did they ask to de-crypt your files?



#11 giantmonkey

giantmonkey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:03:03 AM

Posted 28 November 2016 - 02:09 AM

Sorry I was talking to the idiot who says he makes these programs.

 

I haven't contacted them - Going to use backups.

 

I made a post as well, see what happens.

10k is just stupid. At least make it a small amount so people might actually pay.


Edited by giantmonkey, 28 November 2016 - 02:10 AM.


#12 AlNamrood_dev

AlNamrood_dev

  • Banned
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 28 November 2016 - 02:57 AM

Useless to cry here.

If you need the files, you will pay.

You have no other choice, and no one will be able to help.

Nobody will be able to crack AES - not emsisoft, not the illuminati, and not even Jesus :)



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:03 AM

Posted 28 November 2016 - 07:34 AM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 rayray403

rayray403

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 28 November 2016 - 10:15 AM

quietman7

 

this is what i get back from id-ransomware

 

This ransomware may be decryptable under certain circumstances.

 Please refer to the appropriate guide for more information.

 Identified by
•ransomnote_email: decryptgroup@xmpp.jp
•sample_extension: .ID-<id>[<email>].access_denied

 Click here for more information about Al-Namrood

 

trying tool now to see if it works... thx



#15 rayray403

rayray403

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 28 November 2016 - 10:20 AM

Wrong ID message.

 

The provided ID in the options tab is in a format that is not supported by this decryptor.  Please make sure you typed in the ID correctly.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users