Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Identify this ransomware - help needed


  • This topic is locked This topic is locked
7 replies to this topic

#1 secc123

secc123

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 30 November 2016 - 05:49 PM

Hi all, I got a call today regarding a machine which has been hit by ransomware. As usual the person on the phone 'didn't click anything and didn't download anything' - yeah right! Anyway i won't be collecting the machine until tomorrow so i can't really offer any info on it but they did email me a screenshot which i have attached.

 

 I would appreciate it if anyone here could identify it and possibly point me in the direction as to whether its genuine or not. All help and info greatly appreciated as there may be files on the machine which they may want to keep - although i suspect that its basically fully done the encryption job, they called me after the message appeared on screen.....whaen will people learn LOL!

 

 Thanks all

 Secc

 

 

screenshot:

 

2m6u35x.jpg

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:06 AM

Posted 30 November 2016 - 06:04 PM

Looks like Locky. The best way to confirm is with a ransom note and encrypted file. Once you get ahold of the machine, you may upload them to ID Ransomware to properly identify. If it is Locky, it is not decryptable, you can only restore from backups or they pay the ransom. Always worth trying recovery tools such as ShadowExplorer and Recuva.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 secc123

secc123
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 30 November 2016 - 06:18 PM

Hi Ransomware Hunter, Thanks so much for the reply. My initial thought was Locky but i didn't want to jump the gun. I already have ID Ransomware loaded in my browser ready for tomorrow - excellent resource.

 

 Thanks for your help, i very much appreciate it.

 

 Secc



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 AM

Posted 30 November 2016 - 06:38 PM

There are several different variants of Locky Ransomware.

Any files that are encrypted with the original Locky Ransomware will be renamed with random alpha-numerical characters and have the .locky extension appended to the end of the encrypted data filename (i.e. F67091F1D24A922B1A7FC27E19A9D9BC.locky) and leave files (ransom notes) named _Locky_recover_instructions.txt, _HELP_INSTRUCTIONS.txt as explained here.

Any files that are encrypted with the Locky (.ZEPTO) ransomware variant will be renamed with random alpha-numerical characters and have the .zepto extension appended to the end of the encrypted data filename (i.e. 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto) and leave files (ransom notes) named _(4_digit_number)_HELP_instructions.txt/.bmp/.html (i.e. _6789_HELP_INSTRUCTIONS.txt, _6789_HELP_INSTRUCTIONS.bmp, _6789_HELP_INSTRUCTIONS.html) as explained here.

Any files that are encrypted with the Locky (.ODIN) ransomware variant will be renamed with random alpha-numerical characters and have the .odin extension appended to the end of the encrypted data filename (i.e. 5FBZ55IG-S575-7GEF-2C7B-5B22862C2225.odin) and leave files (ransom notes) named _HOWDO_text.html, _HOWDO_text.bmp and _[2_digit_number]_HOWDO_text.html as explained here. Some victims of this variant have reported ransom notes in sequential order _1_HOWDO_text.html, _2_HOWDO_text.html, _3_HOWDO_text.html, _4_HOWDO_text.html, etc.

Any files that are encrypted with the Locky (.SH*T) ransomware variant will be renamed with random alpha-numerical characters and have the .sh*t extension appended to the end of the encrypted data filename (i.e. 4AEZ33IH-S626-4GDK-2D5G-5B45713N3334.SH*T) and leave files (ransom notes) named _WHAT_is.html, _WHAT_is.bmp and _[2_digit_number]_WHAT_is.html as explained here.

Any files that are encrypted with the Locky (.THOR) ransomware variant will be renamed with random alpha-numerical characters and have the .thor extension appended to the end of the encrypted data filename (i.e. 024BCD33-41D1-ACD3-3EEA-84083E322DFA.thor) as explained here.

Any files that are encrypted with the Locky (.AESIR) ransomware variant will be renamed with random alpha-numerical characters and have the .thor extension appended to the end of the encrypted data filename (i.e. 016CCB88-61B1-ACB8-8FFA-86088F811BFA.aesir) and leave files (ransom notes) named [number]-INSTRUCTION.html, -INSTRUCTION.html, -INSTRUCTION.bmp as explained
here.

Any files that are encrypted with the Locky (.ZZZZZ) ransomware variant will be renamed with random alpha-numerical characters and have the .thor extension appended to the end of the encrypted data filename (i.e. 016CCB88-61B1-ACB8-8FFA-86088F811BFA.zzzzz) and leave files (ransom notes) named [number]-INSTRUCTION.html, -INSTRUCTION.html, -INSTRUCTION.bmp as explained
here.

This is the official support topic if you confirm the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 secc123

secc123
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 01 December 2016 - 12:54 PM

Hi Ransomware Hunter and quiteman7, you were both bang on - its the Locky zzzzz variant. All files are encrypted so its a wipe unfortunately. I did notice that it never encrypted the *.pst files for office (at least they aren't renamed anyway). In your opinion are these pst's safe to copy to a new system. Obviously the original infected email(s) will be in them but they can be deleted once its loaded in office.

 

 Thank you both for your quick reponses, it is very much appreciated.

 

 Secc



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:06 AM

Posted 01 December 2016 - 01:46 PM

The encrypted files themselves are not infectious. The user may have been lucky with the PST being locked by the Outlook process, preventing the malware from encrypting it. It is safe to transfer over, just delete the email in question like you said. It should be an attachment with a zip file, and a file inside with a double-extension (e.g. invoice.pdf.wsf or something). It is safe as long as you do not open the attachment and run the file inside the zip file.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 secc123

secc123
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 01 December 2016 - 01:55 PM

Hi Demonslay335, Thanks again for your advice. I just wanted to confirm and put my mind at ease that they are safe which you have done.

 

 You guys are so helpful, i know i said it earlier but it is greatly appreciated.

 

 Many, Many thanks

 

 Secc

 

 (mods - this can be marked solved)



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 AM

Posted 01 December 2016 - 02:21 PM

You're welcome on behalf of the Bleeping Computer community.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users