Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

V8Locker Ransomware (!__recoverynow@india.com__.v8) Support & Help Topic


  • Please log in to reply
8 replies to this topic

#1 phildowns

phildowns

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 14 December 2016 - 11:49 AM

Hello All,

 

We're into day 2 of a Windows Server 2012 R2 ransomware infection.   Have yet to identify the specific ransomware or find the source of the infection.  

After an attempted server and workstation cleanup yesterday, and file server recovery from shadow copies, the ransomware did it dirty work again overnight.

 

The Ransomware leaves a ransom note in each affected directory with a filename of recoveryinstruction.txt  The contents are as follows:

 

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.
 
CONTACT US BY EMAIL: recoverynow@india.com
 
Each encrypted file has the following extension: !__recoverynow@india.com__.v8
For example, an encrypted powerpoint file might have this name:  MyPresentation.pptx!__recoverynow@india.com__.v8
The malicious encryption got all the way into our Sage300 accounting system so it if affecting more that just common file types.
 
We've analyzed who has access to which damaged file shares on the server and narrowed down the list of likely infected workstations to 6.  So far have scanned with AVG cloudcare and Malwarebytes Anti-Malware on the server and workstations with no infection found.
 
Any targeted advice would be greatly appreciated!


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:24 AM

Posted 14 December 2016 - 01:31 PM


You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 phildowns

phildowns
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 14 December 2016 - 01:49 PM

Thanks for the guidance.

 

ID Ransomware was not able to identify the type of infection.

Here's the Sha1 for my submission: b05ccf6ceb8d0b7dd6ece4ed495f102c879e8c20

I also submitted information about our ransomware on the ID Ransomware contact page.

 

I posted the ransom note and example encrypted file to submit-malware.php page as requested.

-Phil



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:24 AM

Posted 14 December 2016 - 01:55 PM

Ok. Demonslay335 will probably check this topic the next time he logs in.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 phildowns

phildowns
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 14 December 2016 - 03:14 PM

Great. We've expanded to using AGV Cloudcare, ESET, and Malwarebytes Anti-Malware for scanning.  No ID of the infected machine yet.

My focus now is using network share monitoring tools to look for the user/computer that is causing the issue.  Will  look forward to hearing from Demonslay335



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:24 AM

Posted 15 December 2016 - 11:07 PM

I did see that ransom note come through the warning system, but I haven't found much info on it either. If you happen to catch the malware, we'd love to have a sample of it. Usually, the user who is infected will become the new owner of the encrypted files, so that should help narrow down patient zero.

 

Do you believe it came in via RDP, or an infected workstation (which could be email, exploit kit, or bad download).

 

I'll setup a rule to point victims to this topic. For now, until more information is found, I will just call it "V8Locker".

 

The pattern of the filename almost looks similar to Gomasom (e.g. picture.jpg!___<email>_.crypt), but that would have been identified by hex pattern on ID Ransomware. It also looks similar to RotorCrypt (e.g. picture.jpg!____cocoslim98@gmail.com____.tar)


Edited by Demonslay335, 15 December 2016 - 11:15 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:24 AM

Posted 16 December 2016 - 06:21 AM

Topic title changed to reflect V8Locker.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:11:24 AM

Posted 21 December 2016 - 02:31 AM

V8Locker Ransomware 

Description / descripción / Описание / Beschreibung / descrição / 描述

Who has something to add, please, let me know. 


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#9 NatHolder

NatHolder

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 13 March 2017 - 07:36 PM

The ransom note posted by @phildowns is identical to the one I got (except for email address), and the file rename pattern is very similar to mine as well.  I'm wondering if it's the same ransomeware, except for the email address.

https://www.bleepingcomputer.com/forums/t/641775/unidentified-crypto-virus-voxcoxvox900-with-ramsom-note-readmecrypttxt/

 

What we're trying to determine is if the malware transfers any files off site, or if it just does an in-place encryption.  We don't need to recover the files, but we do need to make sure that sensitive information didn't escape.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users