Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomer's program did not provide a correct SEND TO address.


  • This topic is locked This topic is locked
5 replies to this topic

#1 tunare

tunare

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 16 December 2016 - 05:46 PM

Hello.

I have helped out a large handful of people with ransomware by now. 

Last night, someone contacted me asking for assistance with a program that I haven't seen before. 
He does not know how he got infected, he just says he went to open an Excel file to update it and the program went to town encrypting his files and a screen popped up. 
Here were the instructions:
 

http://imgur.com/a/8Al7h

Please see step #3

We're stuck here because this is not a valid bitcoin address. It seems as if the program was coded poorly and am afraid that we will not be able to recover the files before the timer expires.

I'm trying to help this gentleman over the phone, but he seems to be extremely computer illiterate, making it difficult for me to make inquiries as to what happened. 

This is the most definitive explanation that I got: 

 

The decrypt icon is the letter I sent you the instructions. The other 2 icon created a min later n.jpg file type crypted file size 16.3 KB I couldnt open and SWSC.pdf type crypted file size 166KB. Didnt know if I should try to open this file.

 

Digital security is not my profession, but I suggested that because his files are already encrypted, he opens the PDF file in hopes that it generates a correct bitcoin address. 

Does anyone know what ransomware this might be?

Like I said, even over the phone, it's hard to probe for anymore information because of his computer experience limitations. 
 


Edited by tunare, 16 December 2016 - 05:46 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:51 AM

Posted 16 December 2016 - 06:38 PM

Have him submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

You can ignore any warnings in the ransom note that mentions files will be deleted after so many days...it typically is just a scare tactic to get victims to quickly pay the ransom.

I have examined almost every ransomware that has been released since 2013 and never have I found one that actually deletes the keys when they say they do.

Grinler, Post #61

With that said, he could be dealing with Ranscam (Scam Ransomware) where the criminals never intended on providing a means to retrieve or recover the victim’s files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tunare

tunare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 16 December 2016 - 06:59 PM

Thank you. I have already asked him to submit these files to the site.  I hope that he will not have too many problems doing this. 

I should point out that I have helped out over 30 people with different ransomware programs. I have yet to encounter a ransomware scam, but I know it's only a matter of time.  I help people pay the ransom and walk them through the instructions for a small consultation fee. 

From my stance, I'm here for the people that decide that yes, they absolutely NEED their data as soon as possible. They know that I am not able to return their money if the program turns out to be a ransomware scam, but in this situation, we have no BTC address to send to, so I will have zero issues refunding his money so long as he returns the BTC to an address that I own. I don't look forward to explaining how to move BTC to him.... I've already spent a working day trying to help him out and my upcharge for BTC and security consultation on a $300 ransom is pretty small. I just feel bad for this small business owner. 

 

I usually deal with a company IT guy or a cousin that is more inclined to computers. When making first contact with the person that got hit, it's refreshing to hear that what they describe to me or the screenshots that they send to me is a familiar ransomware program.  The average team that contacts me is on their way successfully decrypting files in less than 50 minutes (a lot of this wait is blockchain propagation time).

 

These new programs scare me the most. ..


Edited by tunare, 16 December 2016 - 07:01 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:51 AM

Posted 16 December 2016 - 07:09 PM

Many of these ransom notes say essentially the same thing so in some cases it's hard to tell what ransomware a victim has been infected by without more information. The best way to identify the different ransomwares is the ransom note itself (including it's name), any obvious extensions appended to the encrypted files, samples of those encrypted files and information related to the email address used by the cyber-criminals.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:51 PM

Posted 17 December 2016 - 07:27 AM

You're dealing with Nemucod.

 

A free decrypter can be found here. To use the decrypter you will require an encrypted file of at least 4096 bytes in size as well as its unencrypted version (try looking for downloaded pictures or documents, or encrypted files in programs which can be installed onto another computer to find an unecrypted version). To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:51 AM

Posted 17 December 2016 - 08:04 AM

Since the infection has been identified by one of our experts, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users