Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AES-NI Ransomware (.aes256, .aes_ni, !!Read This_Important!!.txt) Support Topic


  • Please log in to reply
227 replies to this topic

#16 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 19 December 2016 - 07:00 PM

Unknown vector of infection so far. The machine that was infected is an RDP Windows 2012 r2 Server. I am running scans with multiple tools to try to get any hits. Nothing so far. I will gladly submit any files that are found.



BC AdBot (Login to Remove)

 


m

#17 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,096 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 19 December 2016 - 07:04 PM

Remote Desktop Protocol (RDP) brute force based attacks are on the rise especially by those involved with the development and spread of ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#18 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 19 December 2016 - 07:21 PM

Files have been submitted. It looks like it may have been caused by a user.



#19 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 20 December 2016 - 03:33 PM

Any advice on what to look for or where to look is appreciated. I guess the stuff I uploaded was nothing.

 

I created an email account to email the person to see what they wanted to unlock the files. 10 Bitcoin was the answer.



#20 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 20 December 2016 - 04:16 PM

This is getting ridiculous. I was at the point where I was going to pay, but its even more of a hassle to setup a Bitcoin and purchase a big amount. I try to purchase Bitcoin with a Credit Card, and there was a $100 limit. The Bitcoin sites want social security numbers, bank account authentication, ID to raise the limit. 



#21 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 20 December 2016 - 04:46 PM

Wow that sucks. I was almost at that point also... does anyone know if they will really unlock the files if you pay?

#22 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 20 December 2016 - 05:03 PM

I had asked in the email for a guarantee that the decryption would work, they said to send them 3 small files, and that they would decrypt them. I have yet to do that though. 



#23 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,096 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:47 AM

Posted 20 December 2016 - 05:13 PM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Other victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all.

There is never a guarantee that the decrypter provided by the cyber-criminals will work as they claim and using a faulty or incorrect decryptor may damage or corrupt the files. Keep all this in mind if you are considering paying the ransom since there is no guarantee decryption will be successful. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#24 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 20 December 2016 - 06:25 PM

No I have not sent any files to him yet

#25 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 20 December 2016 - 06:36 PM

I was able to recover the majority of the files from backup however one of the servers that had a share on it had corrupt backups

#26 Amigo-A

Amigo-A

  • Members
  • 249 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:47 PM

Posted 21 December 2016 - 02:33 AM

AES-NI Ransomware

Description / descripción / Описание / Beschreibung / descrição / 描述
Who has something to add, please, let me know. 

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#27 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 21 December 2016 - 02:39 AM

It got to my backups too. So I have no good backups.

#28 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 21 December 2016 - 02:43 PM

So i sent a file to see if he could decrypt. I did get a file back that was decrypted.



#29 CrazyGio

CrazyGio

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 21 December 2016 - 03:05 PM

Through where?

#30 Retsiem

Retsiem

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 21 December 2016 - 04:00 PM

I started an email dialogue with him. The files were sent back and froth via sendspace. I wanted to see if he was even capable of decrypting them.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users