Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptON Ransomware Support & Help Topic (<id-number>_x3m, _locked, _r9oj)


  • Please log in to reply
414 replies to this topic

#16 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 30 December 2016 - 05:57 PM

Não há nada de novo para relatar ainda. Precisamos do próprio malware para analisar.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


m

#17 Rastien

Rastien

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 03 January 2017 - 06:36 AM

 

We discovered the same files on our server removed the infection and rolled back unfortnatley we're in need of a singular file with no back-up always the way .___. but eagerly watching this thread for any progress, I have a copy of the file in question and ransome note if this helps in anyway.

 

Do you have the infection in quarantine or any logs from the removal? We need the malware itself to analyze.

 

 

Sadly not yet we found what we believe to be the root machine but our virus scan Sophos hasn't picked up any virus on the desktop even though it's the only machine with locally locked files we've discovered. Will happily provide this if as and when we manage to find it and pin it down for the time being we have quarantined this machine from our network.



#18 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 03 January 2017 - 07:13 AM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#19 Rastien

Rastien

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 03 January 2017 - 10:04 AM

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact.

Ahh I see, that's kind of ingenious in a malicious and problematic way of course.



#20 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 03 January 2017 - 12:37 PM

Cyber-criminals are very innovated...they are always developing creative and more sophisticated techniques.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#21 henleu

henleu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 09 January 2017 - 03:36 AM

We are looking for more information of this ransomeware. But this ransomeware seems rather new and there is not much information on the web.

Except encrypting your files, does it do any other harm to your computer? e.g. Steal your files and upload to somewhere?

Is it safe to salvage what's left unencrypted from the infected computer? Would those files be contaminated and infect other computers?


Edited by henleu, 09 January 2017 - 04:18 AM.


#22 Rastien

Rastien

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 09 January 2017 - 08:09 AM

We are looking for more information of this ransomeware. But this ransomeware seems rather new and there is not much information on the web.

Except encrypting your files, does it do any other harm to your computer? e.g. Steal your files and upload to somewhere?

Is it safe to salvage what's left unencrypted from the infected computer? Would those files be contaminated and infect other computers?

As far as I know we havn't had our files uploaded anywhere, we think we're suffering from a RDP exploit which we've got a 3rd party investigating, and once inside the attacker seems to be able to create their own accounts and elevate them again this is under investigation but aside from the locked files and html ransom note we havn't found anything.

 

Although have now upgraded to sophos anti-ransomware... although it feels a little ironic paying sophos a ton more cash to protect ourselves against ransomware. It feels abit like paying the ransom but to a different organ grinder.



#23 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 09 January 2017 - 08:16 AM

We are looking for more information of this ransomeware. But this ransomeware seems rather new and there is not much information on the web...

First report to our site on December 28, 2016 and Demonslay335 said it was new. Most hits in Google go to bogus malware removal sites so be careful what your read.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#24 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 09 January 2017 - 08:18 AM

...we think we're suffering from a RDP exploit...

RDP is a very common vector for servers especially by those involved with the development and spread of ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#25 henleu

henleu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 09 January 2017 - 09:36 PM

 

We are looking for more information of this ransomeware. But this ransomeware seems rather new and there is not much information on the web.

Except encrypting your files, does it do any other harm to your computer? e.g. Steal your files and upload to somewhere?

Is it safe to salvage what's left unencrypted from the infected computer? Would those files be contaminated and infect other computers?

As far as I know we havn't had our files uploaded anywhere, we think we're suffering from a RDP exploit which we've got a 3rd party investigating, and once inside the attacker seems to be able to create their own accounts and elevate them again this is under investigation but aside from the locked files and html ransom note we havn't found anything.

 

Although have now upgraded to sophos anti-ransomware... although it feels a little ironic paying sophos a ton more cash to protect ourselves against ransomware. It feels abit like paying the ransom but to a different organ grinder.

 

 

 

 

We are looking for more information of this ransomeware. But this ransomeware seems rather new and there is not much information on the web...

First report to our site on December 28, 2016 and Demonslay335 said it was new. Most hits in Google go to bogus malware removal sites so be careful what your read.

 

 

Thanks for the update and reminder. We will keep searching for more information of it.



#26 geoffb_au

geoffb_au

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 24 January 2017 - 12:13 AM

Hi, I'm in the unfortunate position of having been attacked by something that looks like this malware. However, I've also been able to recover some files using the shadow volume copy service, and have a copy of the encrypted and matching unencrypted file. Is this of any use to any researchers in determining a recovery option? I'm willing to provide both files if it helps?



#27 NemesisRansomware

NemesisRansomware

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 26 January 2017 - 05:12 AM

Hi, I'm in the unfortunate position of having been attacked by something that looks like this malware. However, I've also been able to recover some files using the shadow volume copy service, and have a copy of the encrypted and matching unencrypted file. Is this of any use to any researchers in determining a recovery option? I'm willing to provide both files if it helps?

 

No. Using decryptor created on the "side" is not possible  :thumbup2:

Our team has taken care of that.



#28 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:44 AM

Posted 26 January 2017 - 05:42 AM

Hi, I'm in the unfortunate position of having been attacked by something that looks like this malware. However, I've also been able to recover some files using the shadow volume copy service, and have a copy of the encrypted and matching unencrypted file. Is this of any use to any researchers in determining a recovery option? I'm willing to provide both files if it helps?


Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation?
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#29 gmaniakbg

gmaniakbg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 25 February 2017 - 03:48 PM

I have the executable of this peace of bleep. Please let me know if anyone needs it for analysis.



#30 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:44 AM

Posted 25 February 2017 - 03:52 PM

I have the executable of this peace of bleep. Please let me know if anyone needs it for analysis.

Please upload it to virustotal.com and copy the results url, or you can upload it here too.


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users