Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware ID and Decryption Help


  • This topic is locked This topic is locked
6 replies to this topic

#1 MrWonton42

MrWonton42

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 07 December 2016 - 12:45 PM

Hello all,

 

I am looking for some assistance in identifying a various flavor of ransomware that I recently have come across. It appends the file extension .Locked to the files and changes the background to an image that just says HACKED and under it is a bitcoin wallet. The ransom is .25 BTC after 24hrs and .35 BTC after. There is no personal ID or email contact on the image either. I was thinking it could have been Stampado or another flavor of Hidden Tear/EDA2 however I have not found the usual ransom note text file yet as the IT contractor that came in initially flattened everything with AV so I can not use the ID tool that is available. 

 

Malwarebytes logs grabbed this when it was run by the IT company:

 

<file><path>C:\ProgramData\Hewlett-Packard\Locker\1.0.0.0\krypto.exe</path><vendor>Trojan.TeslaKeyLogger.AutoIt</vendor><action>success</action><hash>32c28a584d4da88e319f7336bf41b34d</hash></file>

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:24 PM

Posted 07 December 2016 - 05:42 PM

Can you share a few of the encrypted files? We have an idea of what may have encrypted the files, but need to confirm.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:24 PM

Posted 07 December 2016 - 07:21 PM

CryptoShocker, Stampado, Philapdelphia, BankAccountSummary, RAA-SEP, Uyari, PokemonGo, Russian EDA2, JobCrypter, Zyklon Locker (GNL), ApocalypseVM, KimcilWare Ransomware and LOCKED Ransomware all append the .locked extension to the end of the affected filename. Stampado does not leave any ransom notes.

If you sumbit a few of the encrypted files, Demonslay335 should be able to manually inspect them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 MrWonton42

MrWonton42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 08 December 2016 - 10:04 AM

All, 

 

Thank you for the replies. Here are some of the files that got hit with the encryption, as well as a picture I received of the computer background after the encryption took place. I did a hex compare of two of the files in BurpSuite and noticed that the headers on the encrypted files are exactly the same and the files have very high levels of entropy until the latter end of the data. I am not versed enough in crypto reverse engineering to know what exactly I am looking at beyond that though. Any assistance is appreciated though. 

 

https://www.dropbox.com/sh/bvdpxqu7nm09ove/AABt339G-9btNEY-EMP-ZKtTa?dl=0

 

Thank you 



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:24 PM

Posted 08 December 2016 - 10:09 AM

All, 

 

Thank you for the replies. Here are some of the files that got hit with the encryption, as well as a picture I received of the computer background after the encryption took place. I did a hex compare of two of the files in BurpSuite and noticed that the headers on the encrypted files are exactly the same and the files have very high levels of entropy until the latter end of the data. I am not versed enough in crypto reverse engineering to know what exactly I am looking at beyond that though. Any assistance is appreciated though. 

 

https://www.dropbox.com/sh/bvdpxqu7nm09ove/AABt339G-9btNEY-EMP-ZKtTa?dl=0

 

Thank you 

 

Good news on this, it's actually Jigsaw. I've updated the decrypter to handle that extension. You can use this decrypter: https://www.bleepingcomputer.com/download/jigsaw-decrypter/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 MrWonton42

MrWonton42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 08 December 2016 - 10:13 AM

 

All, 

 

Thank you for the replies. Here are some of the files that got hit with the encryption, as well as a picture I received of the computer background after the encryption took place. I did a hex compare of two of the files in BurpSuite and noticed that the headers on the encrypted files are exactly the same and the files have very high levels of entropy until the latter end of the data. I am not versed enough in crypto reverse engineering to know what exactly I am looking at beyond that though. Any assistance is appreciated though. 

 

https://www.dropbox.com/sh/bvdpxqu7nm09ove/AABt339G-9btNEY-EMP-ZKtTa?dl=0

 

Thank you 

 

Good news on this, it's actually Jigsaw. I've updated the decrypter to handle that extension. You can use this decrypter: https://www.bleepingcomputer.com/download/jigsaw-decrypter/

 

Demonslay335

 

You sir are a gentleman and a scholar... A true life saver!!!!

 

Thank you mate!!!!



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:24 PM

Posted 08 December 2016 - 05:43 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users