Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LoveServer Ransomware Support ("Backup Don't Delete" file, R-E-A-D-M-E.txt)


  • Please log in to reply
14 replies to this topic

#1 Kike77sp

Kike77sp

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 12 December 2016 - 05:51 PM

Hello,
 
I am a new victim of an attack of this type.
The problem is that the kidnapper has "moved" all encrypted files to a single called: "BACKUP DONT DELETE"
And this has no extension and has a size of 99Gbytes.
 
The note is: R-E-A-D-M-E.txt
"
Hello,

I crypted all your important data
I stored the crypted data in your hard disk.
If you want to become your date back, send me an email containing your ip adress.

Your ip adress: X.X.X.X

Email: love.server@mail.ru
"

And it is not recognized by ID Ransomware:
Please reference this case SHA1: 01472d6d913b0aa1fe8e7fa5bc72311d74ecdaae[/size]
 
I better create a new thread?
 
Thank you

Edited by quietman7, 12 December 2016 - 07:56 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 12 December 2016 - 06:35 PM

...I better create a new thread?...

Wait for Demonslay335 to look into this first.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 12 December 2016 - 06:39 PM

@Kike77sp
 

I've seen that note come through ID Ransomware's alert system a few times and have been unable to find any more information on it. It definitely looks new. If the files are compressed into one file, that may explain why no victims have uploaded any encrypted files along with them.

 

If you have a sample of the malware or know how you got it, that would be very helpful. You may submit any malicious programs here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Of note, I have only seen submissions from Spain for this one, six unique IPs so far since 06/17/16. Older submissions have the same note, but with the email address "file.recover@mail.ru".

 

@quietman7

 

You may move this to a new thread please, it seems to be a new variant.


Edited by Demonslay335, 12 December 2016 - 06:42 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 12 December 2016 - 06:47 PM

Done. We can edit the title when we get a name.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:53 AM

Posted 12 December 2016 - 06:50 PM

Thanks. I've just named it "LoveServer" on ID Ransomware for now, victims will be pointed to this topic upon identification of the note and email addresses.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Kike77sp

Kike77sp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 13 December 2016 - 03:24 AM


If you have a sample of the malware or know how you got it, that would be very helpful. You may submit any malicious programs here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

Thank you to answer me.

 

Ok, the infected computer is one from the work of my girlfriend, i try to ask to this person if she received a suspicious email or something similar.

 

please, tell me all that your think that i can try, I will keep this file.



#7 Amigo-A

Amigo-A

  • Members
  • 221 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:53 PM

Posted 13 December 2016 - 01:54 PM

 all encrypted files to a single called: "BACKUP DONT DELETE"

 

Kike77sp

It is possible to put a screenshot as it looks with the list of your files? 


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#8 Kike77sp

Kike77sp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 13 December 2016 - 08:58 PM

 

 all encrypted files to a single called: "BACKUP DONT DELETE"

 

Kike77sp

It is possible to put a screenshot as it looks with the list of your files? 

 

 

Hello Amigo-A

There is only one file with 99Gbytes without extension, the original folders are empty, i think that all the files are inside it.

 

I cannot get more information yet



#9 Amigo-A

Amigo-A

  • Members
  • 221 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:53 PM

Posted 14 December 2016 - 05:40 AM

Kike77sp

OK. I understood. Thx! All files are archived "BACKUP DONT DELETE", which removed extension.
I would like to know: is Your home PC or server computer?
System boots, then which folders have empty: Desktop, Downloads, Documents, other disks?

Edited by Amigo-A, 14 December 2016 - 05:41 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#10 Kike77sp

Kike77sp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 December 2016 - 05:16 PM

 

Kike77sp

OK. I understood. Thx! All files are archived "BACKUP DONT DELETE", which removed extension.
I would like to know: is Your home PC or server computer?
System boots, then which folders have empty: Desktop, Downloads, Documents, other disks?

 

Is a server, it was where the shared folders of the other computers were. Now all the folders are clean except for the kidnapper's message.
And yes, no backup!
A disaster :/



#11 Amigo-A

Amigo-A

  • Members
  • 221 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:53 PM

Posted 18 December 2016 - 06:55 AM

Kike77sp

Maybe, this is yet not a disaster.
Files, that are normally found in shared network folders, this is rubbish-collection. If local computers are not affected, the necessary files (originals) may be on those computers. 

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#12 Kike77sp

Kike77sp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 19 December 2016 - 03:39 AM

 

Kike77sp

Maybe, this is yet not a disaster.
Files, that are normally found in shared network folders, this is rubbish-collection. If local computers are not affected, the necessary files (originals) may be on those computers.

I don't understand, PC "A" used a folder from server "X" and server lose all files.

There is In PC "A" hidden files from this folder?, where?, in temp from profile?



#13 Amigo-A

Amigo-A

  • Members
  • 221 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:53 PM

Posted 19 December 2016 - 09:39 AM

As has been created a shared network folder? 
With the copying of files from the PC-clients or in the distribution with PC-server. Yes?
When copying files from a PC-client or on a PC-client in a shared network folder, located on a server, in the PC-clients may still lie are copies of these files. 
 
eddec900c436.png

Edited by Amigo-A, 19 December 2016 - 10:18 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#14 Kike77sp

Kike77sp
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 19 December 2016 - 03:55 PM

Ehhh,, i'm not a expert but i think no.

 

In PC-Server there was a folder with the data, and the pc-clients work directly in that path.

 

I think that in pc-clients there are nothing, maybe there are only a temp files in the profile.



#15 Infoself

Infoself

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 21 February 2017 - 06:57 AM

Greetings

 

I'm new on those forums.

 

I'm an IT from Spain who have arrived here searching for the "R-E-A-D-M-E.txt" and the "backup don't delete" file symptoms on a server of a customer. In my case, the infected machine is an old 2003 server with Citrix and what it seems is the virus accessed through an email client running under Citrix with full domain admin privileges (hell yeah, I know, I know :oopsign: )

 

I've noticed that it deleted (and I suppose, encrypted on the "don't delete" file) the full DATA folder on the SQL Server on this server (hell yeah, round 2 :ranting: ). I've found too remains on MSCONFIG to run an "_uninstall_[random numbers]" BAT archive on this admin user logon that i suppose the virus uses to delete it's components and make harder to found info about it. At least, antivirus tools have still found nothing on the systems. At this point I've thought "No problem mate, you have a daily full image with Veaam backup" (the server was virtualized two years ago).

 

But there was still one more surprise. I've found the backup disk on backup server EMPTY. More accurately, the Veeam backup files deleted, the structure folder remains (hell yeah, round 3, fatality  :rip:  ). I'm fearing that this bastard version of virus, if obtains admins rights, scans the network searching disks that contain backups to delete them (accessing through the admin [unit_letter]$ share that windows automatically creates; it was an USB disk).

 

I'm saying all of this to warn other people about the bad habit to maintain very old not-so-good tuned systems because customers don't wanna pay for upgrade and improve them (just unplug them or run for your lives far away, let others eat that bleep!). Also to see if what I'm saying is a behavior similar of what you have found on other infected systems. If it is, I've tried to found decryption tools (for example, on https://www.nomoreransom.org/) but I don't know if a tool for this bastard one exists or how it's identified. Is its "official" name Loveserver ramsonware? Should I search for other name? As I said, antivirus tools don't found nothing, so I only can identify it by its behavior.

 

Hope some of you could help me a bit.

 

Anyway, thanks a lot in advance for your attention and the work you do here, it has been very helpful for me other times.

 

PD: Please excuse me for the hundreds of times I've probably killed the Oxford grammar books writing this text. I don't speak english as well as I should.


Edited by Infoself, 21 February 2017 - 07:14 AM.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users