Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptON Ransomware Support & Help Topic (<id-number>_x3m, _locked, _r9oj)


  • Please log in to reply
297 replies to this topic

#1 fatsausage

fatsausage

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 28 December 2016 - 01:09 AM

A computer of my friend got infected, ID ransomware unable to identify the encryption
Reference : SHA1: fac0ce43cc06ff2684fe97d7500c5d51ab82d015[/size]
 
the ransom note content is shown below[/size]
 
file has been renamed id-xxxxxxxxx_locked extension[/size]
 
CVq26w9.png[/size]

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 28 December 2016 - 07:26 AM


CryptoShocker, Stampado, Philapdelphia, BankAccountSummary, RAA-SEP, Uyari, PokemonGo, Russian EDA2, JobCrypter, Zyklon Locker (GNL), ApocalypseVM, KimcilWare Ransomware and LOCKED Ransomware all append the .locked extension to the end of the affected filename. Stampado does not leave any ransom notes. This one may be something new.

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:57 AM

Posted 28 December 2016 - 09:14 AM

Definitely something new, we were looking into submissions on ID Ransomware that also used the extension "_x3m". The ransom note was incorrectly being picked up as CryptoTorLocker (really old ransomware), so it was missing our radar for a while. There are also submissions with "_r9oj" I'm seeing.

 

Here are examples of filenames.

picture.png.id-2800447857_x3m
picture.png.id-2890117789_r9oj
picture.png.id-2109892288_locked

Here is the contents of the ransom note.

ALL YOUR IMPORTANT FILES ARE ENCRYPTED

Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «x3m decryptor»
To obtain decryptor, please, contact me by email: deyscriptors1@india.com


Your personal identification ID: id-<redacted>

We will need the malware to analyze if you can find it. Do you know how you were infected? Email attachment, bad download, RDP hack? If you can find the malware, and some samples of encrypted files with their clean pairs (to compare before/after encryption, preferably PNGs), please upload them to the link quietman7 provided.

 

I have temporarily dubbed this one "X3M" and made a rule to point victims to this topic.


Edited by Demonslay335, 28 December 2016 - 10:53 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 diegorssouza

diegorssouza

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 28 December 2016 - 01:54 PM

Definitely something new, we were looking into submissions on ID Ransomware that also used the extension "_x3m". The ransom note was incorrectly being picked up as CryptoTorLocker (really old ransomware), so it was missing our radar for a while. There are also submissions with "_r9oj" I'm seeing.

 

Here are examples of filenames.

picture.png.id-2800447857_x3m
picture.png.id-2890117789_r9oj
picture.png.id-2109892288_locked

Here is the contents of the ransom note.

ALL YOUR IMPORTANT FILES ARE ENCRYPTED

Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «x3m decryptor»
To obtain decryptor, please, contact me by email: deyscriptors1@india.com


Your personal identification ID: id-<redacted>

We will need the malware to analyze if you can find it. Do you know how you were infected? Email attachment, bad download, RDP hack? If you can find the malware, and some samples of encrypted files with their clean pairs (to compare before/after encryption, preferably PNGs), please upload them to the link quietman7 provided.

 

I have temporarily dubbed this one "X3M" and made a rule to point victims to this topic.

I got my entire server encrypted by this new ransomware,i search on %temp% %appdata% programfiles and didnt found the ransomware



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,977 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:57 AM

Posted 28 December 2016 - 03:28 PM

Can you upload an encrypted .png file here? Has to be *filename*.png.id-2800447857_*extension*

 

Original and encrypted file pair would be helpful too (can be zipped).

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 fatsausage

fatsausage
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 28 December 2016 - 11:54 PM

It's probably infected through RDP because it happened right after he opened the port for RDP on his router



#7 fatsausage

fatsausage
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 29 December 2016 - 12:03 AM

I've just uploaded the file "Lighthouse.jpg.id-xxxxxxxxx_locked" and linked to this topic, please check.

 

Anyway, my friend has  data back up of a week ago and we are going to reinstall the whole machine tomorrow.

 

I'd like to know the best way to prevent ransom ware infection?



#8 Amigo-A

Amigo-A

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:57 PM

Posted 29 December 2016 - 02:47 AM

fatsausage

On server computers - a modern server date protection.
On customer computers - a modern endpoint protection.
On home computers - a modern Internet Security.
Backup method 1-2-3.
Staff training and prohibit open attachments from unknown recipients, and without checking!!!

Need info? Find her here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#9 Rastien

Rastien

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 29 December 2016 - 05:40 AM

We discovered the same files on our server removed the infection and rolled back unfortnatley we're in need of a singular file with no back-up always the way .___. but eagerly watching this thread for any progress, I have a copy of the file in question and ransome note if this helps in anyway.



#10 diegorssouza

diegorssouza

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 29 December 2016 - 06:27 AM

It's probably infected through RDP because it happened right after he opened the port for RDP on his router

i've found an putty.exe on my server...RDP i think so



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 29 December 2016 - 06:32 AM


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 diegorssouza

diegorssouza

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 29 December 2016 - 09:00 AM

Can you upload an encrypted .png file here? Has to be *filename*.png.id-2800447857_*extension*

 

Original and encrypted file pair would be helpful too (can be zipped).

 

xXToffeeXx~

 

Already sent the files "cyclone.png"



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:57 AM

Posted 29 December 2016 - 09:03 AM

We discovered the same files on our server removed the infection and rolled back unfortnatley we're in need of a singular file with no back-up always the way .___. but eagerly watching this thread for any progress, I have a copy of the file in question and ransome note if this helps in anyway.

 

Do you have the infection in quarantine or any logs from the removal? We need the malware itself to analyze.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 diegorssouza

diegorssouza

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 29 December 2016 - 01:23 PM

C1uqEMr.jpg


 

Found this in my server today.

 

 

EplZYmP.jpg


Edited by diegorssouza, 29 December 2016 - 01:23 PM.


#15 ejinformatica

ejinformatica

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 30 December 2016 - 02:49 PM

Alguma novidade ?






9 user(s) are reading this topic

0 members, 9 guests, 0 anonymous users